Cyber criminals are increasingly turning to a new phishing service called 'Tycoon 2FA' to target Microsoft 365 and Gmail accounts and get past two-factor authentication (2FA) protection.
Analysts stumbled upon Tycoon 2FA in October 2023 while conducting their regular threat hunting. However, it's been operational since at least August 2023, when the Saad Tycoon group began offering it through private Telegram channels.
This phishing service shares similarities with other platforms like Dadsec OTT, indicating potential code sharing or collaboration among developers.
In 2024, Tycoon 2FA launched a newer, more discreet version, showing an ongoing commitment to enhancing the kit's effectiveness. As of now, the service operates with 1,100 domains and has been detected in thousands of phishing attempts.
Tycoon 2FA attacks
Tycoon 2FA attacks follow a multi-step process where cyber criminals steal session cookies using a reverse proxy server hosting a phishing webpage. This server intercepts the victim's input and sends it to the real service.
Once the user finishes the MFA challenge and authentication is confirmed, the middle server grabs session cookies. This allows the attacker to replay the user's session and bypass multi-factor authentication (MFA) measures.
A report by Sekoia outlines the attacks in seven clear stages:
Stage 0: Attackers distribute harmful links through emails or QR codes, luring victims to phishing pages.
Stage 1: A security challenge (Cloudflare Turnstile) sifts out bots, letting only human interactions proceed to the fake phishing site.
Stage 2: Background scripts extract the victim's email from the URL to customise the phishing attempt.
Stage 3: Users are redirected quietly to another section of the phishing site, getting them closer to the fake login page.
Stage 4: A fake Microsoft login page appears to steal credentials, using WebSockets to syphon data.
Stage 5: The kit imitates a 2FA challenge, intercepting the 2FA token or response to bypass security.
Stage 6: Finally, victims end up on a realistic-looking page, hiding the success of the phishing attack.
Evolution and scale
There are reports that the latest version of the Tycoon 2FA phishing kit, which was released this year, has made significant improvements to its phishing and evasion techniques.
These changes include updates to the JavaScript and HTML code, adjustments in the sequence of resource retrieval, and stronger filtering to block traffic from bots and analytical tools.
For instance, the kit now waits to load harmful resources until after the Cloudflare Turnstile challenge is resolved, and it uses random names for URLs to conceal its actions.
Additionally, it has become better at identifying Tor network traffic or IP addresses associated with data centres, and it rejects traffic based on specific user-agent strings.
In terms of scale, it has been reported that the use of Tycoon 2FA is widespread, with evidence suggesting a large number of cyber criminals are currently using it for phishing activities.
The Bitcoin wallet connected to the operators has seen over 1,800 transactions since October 2019, with a noticeable increase starting in August 2023 when the kit was launched.
More than 530 transactions were over £94, which is the price for a 10-day phishing link. By mid-March 2024, the wallet had received a total of around £311,882 worth of cryptocurrency.
Tycoon 2FA is just one of the many options available to cyber criminals in the phishing-as-a-service (PhaaS) space. Other notable platforms capable of bypassing 2FA protections include LabHost, Greatness, and Robin Banks.
To Sum Up
Human error is the biggest obstacle with regards to social engineering attacks, regular training, education and scenario based campaigns aim to increase employee awareness and understanding of the potential impact it would cause. Cybaverse are highly skilled in performing quality phishing campaigns to promote awareness and understanding of how these attacks occur. Users are the last line of defence in any organisation, and ensuring they can recognise these attacks is a vital step in securing your organisation. Cybaverse will work with you to understand what campaign would be most useful to educate and aim to best mitigate future attacks. To see the services Cybaverse provide click here.
