Recent observations by cybersecurity analysts reveal a concerning trend in the field of cybersecurity: the emergence of a new phishing-as-a-service (PhaaS) platform dubbed "Tycoon 2FA."
This tool is strategically designed to target high-value Microsoft 365 and Gmail accounts while circumventing two-factor authentication (2FA) safeguards.
Origin and Modus Operandi of Tycoon 2FA
(Photo : Ed Hardie from Unsplash)
A group of cybersecurity researchers discovered that some cybercriminals thrive in bypassing 2FA protection through "Tycoon 2FA," a new PhaaS platform.
Initially detected by Sekoia analysts in October 2023 during routine threat monitoring activities, Tycoon 2FA has been operational since at least August 2023.
Primarily disseminated through private Telegram channels by the Saad Tycoon group, this malicious kit has quickly gained traction among cybercriminal circles.
The phishing platform operates through a complex, multi-stage process aimed at stealing session cookies and exploiting them to bypass MFA mechanisms.
Leveraging a reverse proxy server hosting phishing web pages, the attacker intercepts victim inputs, facilitating the capture of session cookies upon successful authentication. This allows the threat actor to replay user sessions and execute phishing attacks with alarming efficiency.
Related Article: New AI System Protects Against Phishing Scams and Cyber Threats
Seven Stages of Attack
Sekoia's comprehensive report outlines the involvement of Tycoon 2FA attacks, delineating seven distinct stages:
- Distribution: Malicious links are disseminated via emails or QR codes, enticing victims to access phishing pages.
- Security Challenge: A Cloudflare Turnstile challenge filters out bots, ensuring human interaction.
- Email Extraction: Background scripts extract victim emails to customize the attack.
- Redirection: Victims are quietly redirected to the fake login page.
- Credential Theft: A fake Microsoft login page steals credentials using WebSockets for data exfiltration.
- 2FA Mimicry: The kit simulates a 2FA challenge to intercept tokens or responses, bypassing security measures.
- Concealment: Victims are directed to a legitimate-looking page, concealing the success of the phishing attack.
Enhancements and Scale
Recent iterations of Tycoon 2FA boast significant enhancements to evasion and phishing capabilities.
JavaScript and HTML code updates, resource retrieval order alterations, and advanced traffic filtering mechanisms contribute to its sophistication. Furthermore, evidence suggests widespread adoption among cybercriminals, with over 1,800 transactions recorded in the associated Bitcoin wallet since October 2019, per Bleeping Computer.
The emergence of Tycoon 2FA could mean that cybercriminals will not stop from propagating new forms of attacks to the PhaaS landscape. This could be a sign that organizations need to step up their cybersecurity prowess in maintaining security and safety on online platforms.
In other news, Tech Times reported that the UK went on full alert after accusing the hackers behind the two cyberattacks against Parliament.
According to Oliver Dowden, the Deputy Prime Minister of Britain, the previous attacks were carried out by China-sponsored threat actors. The two campaigns took place in 2021 and 2022.
With regards to these allegations, a representative of the Chinese Embassy refuted the claims. The person said that they were all untrue, stating that the UK has no strong evidence for the attacks.
Read Also: Free Telegram Premium? Peer-to-Peer Login Program Offers It, But There's a Catch
