Cybercrime , Fraud Management & Cybercrime , Identity & Access Management
Tycoon 2FA - The Criminals' Favorite Platform for MFA Theft
Phishing-as-a-Service Platform Lets Hackers Impersonate More Than 1,100 DomainsA phishing-as-a-service platform that allows cybercriminals to impersonate more than 1,100 domains has over the past half year become one of the most widespread adversary-in-the-middle platforms.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
Cybersecurity firm Sekoia.io in a Monday post said the platform, Tycoon 2FA, advertises "ready-to-use Microsoft 365 and Gmail phishing pages, as well as attachment templates, starting at $120 for 10 days." Publicly advertised prices on services such as Telegram go up to $320, depending on the impersonated domain.
Attackers are meeting the rise of multifactor authentication - a basic method that makes it harder for hackers to penetrate online accounts - by using tools such as Tycoon 2FA. Hackers use them to goad users into clicking on a malicious link that leads to a fake login page followed by a fake multifactor authentication page, allowing attackers to capture credentials and session cookies.
Analysis of a bitcoin wallet apparently belonging to Tycoon 2FA developers shows about 700 transactions with an average value of $366. The service makes significant money, said Sekoia, but it also has substantial costs, including domain registration, server hosting and possibly phishing page protection using Cloudflare.
The service uses CAPTCHA alternative Cloudflare Turnstile to protect phishing sites from bot traffic.
Sekoia's report outlines seven distinct stages of the attack:
- Stage 0: Malicious links are distributed via emails or QR codes.
- Stage 1: A security challenge filters out bots, enabling human interactions to proceed.
- Stage 2: Background scripts extract victim emails to customize attacks.
- Stage 3: Users are redirected to the fake login page.
- Stage 4: A counterfeit login page uses WebSockets to exfiltrate credentials.
- Stage 5: Mimicked 2FA challenges intercept tokens to bypass security.
- Stage 6: Victims are directed to a legitimate-looking page, concealing the phishing attack's success.
Updates made to Tycoon 2FA in February enhanced its abilities to broaden traffic filtering and refine stealth tactics to avoid detection. Some adjustments include alterations in JavaScript and HTML, streamlining JavaScript downloads into different stages for managing 2FA implementation and data transmission, and adapting to evade detection by identifying and circumventing various traffic patterns.
The Tycoon 2FA phishing kit uses sophisticated techniques and has potential links to other established phishing platforms. "We anticipate the Tycoon 2FA PhaaS to remain a prominent threat within the AiTM phishing market in 2024," said Sekoia.