Tycoon 2FA, a popular phishing as a service (PhaaS) platform responsible for thousands of attacks on Microsoft 365 and Gmail accounts, has just become even harder to detect.
The phishing toolkit has been active since at least August 2023, according to research from security SaaS company Sekoia, who uncovered the PhaaS in October last year.
Tycoon 2FA is an adversary-in-the-middle (AitM) phishing kit that predominantly targets Microsoft 365 accounts by harvesting session cookies to bypass MFA authentication processes.
On 25 March 2024, Sekoia released research indicating the group had released a new version of its phishing kit that boasts better detection evasion capabilities.
The main changes come to the kit’s JavaScript and HTML code and improvements in its ability to detect and evade traffic patterns associated with scan environments, such as IP addresses hosted in data centers or linked to the Tor network.
The kit has also been updated to reject any traffic associated with specific user-agent strings and some versions of Linux web browsers.
The report claims tracking the activities of Tycoon 2FA has become far more difficult after the group enhanced its stealth capabilities.
“The recent updates could reduce the detection rate by security products of the Tycoon 2FA phishing pages and the infrastructure. Additionally, its ease of use and its relatively low price make it quite popular among threat actors.”
A typical Tycoon 2FA attack
Sekoia broke down a typical phishing attack using Tycoon 2FA into the following stages.
Stage 0 involves the distribution of phishing links using URL redirects and QR codes embedded in the body of an email or its attachments. The service provides hackers with templates of phishing attachments as well as pre-made decoy documents.
Stage 1 consists of a Cloudflare Turnstile challenge in order to prevent unwanted traffic affecting the phishing site’s availability. The second stage executes a JavaScript code that redirects users to another page, and eventually extracts the victim’s email address.
At stage 3, victims are redirected once more, and stage 4 presents them with a fake Microsoft authentication login page that uses Websockets to steal the user’s credentials.
Enable work-from-anywhere with the Zscaler Zero Trust Exchange
Stage 5 is the point at which the fake login page pretends to trigger the 2FA challenge, relaying the user inputs to the legitimate Microsoft authentication API, which returns the appropriate information to the user.
But due to its position in the middle of this process, the hacker’s C2 server is able to save the session cookies, which can be used to replay a session and bypass the MFA stage in the future.
“This 2FA relaying capability is the core feature of an AiTM phishing kit, aiming at intercepting login details during a legitimate session-based authentication between the victim and the legitimate service.”
The final stage involves redirecting the victim to a URL specified by the threat actor, which Sekoia found was often to legitimate, or legitimate-looking pages, hoping that they will not suspect the previous page was malicious.
Max Gannon, cyber intelligence analysis manager at email security specialists Cofense, said MFA bypass kits such as the one outlined above have leveled the playing field for attackers in the phishing arms race.
“These multi-factor authentication (MFA) bypass kits are undoubtedly effective which has likely led to some people claiming it is a failure on the part of the MFA. However, MFA prevents someone with stolen credentials from accessing resources without authorization,” he explained.
“When victims fall prey to these MFA bypass phishing attacks, they effectively log themselves in and authorize the access that MFA simply can’t protect against..
“These kits essentially reset the phishing arms race to where we were before the advent of MFA, where the key factor to preventing account compromise is the person being phished.”
Business is booming for Tycoon 2FA, with over 1,200 domains linked to the platform
Tycoon 2FA was first brought to mainstream attention by a Sekoia threat analyst who uncovered the first evidence of the kit while carrying out routine threat hunting in October 2023.
Analysts at Sekoia analyzed a number of phishing pages, which led to them identifying a number of similarities in their obfuscation techniques.
Sekoia’s analysts used these similarities to identify hundreds more phishing pages generated using the same infrastructure, and eventually stumbled on a series of domains thought to belong to the threat actor behind the phishing platform.
Notably, these domains shared the same login panel with the “powered by TycoonGroup '' label, as well as a domain hosting a website promoting Tycoon 2FA as “the best 2FA bypass phishing platform”.
Sekoia has been actively monitoring the phishing infrastructure underpinning the Tycoon 2FA PhaaS operation since it uncovered the group, and has identified over 1,200 domain names associated with the platform since August.
Using data from cryptocurrency transactions allegedly attributed to SaaD Tycoon Group, Sekoia claim the group’s operations are highly lucrative, and predicted the platform will remain a prominent player in the AiTM phishing market in 2024.
