Reports have shown that a new Phishing-as-a-Service Platform (PhaaS) named ‘Tycoon 2FA’ has been used by cybercriminals to target Microsoft 365 and Gmail accounts. Their goal: to bypass two-factor authentication (2FA) protection systems and gain unauthorised access to information and databases.

Sekoia analysts uncovered this new Adversary-in-The-Middle (AiTM) phishing kit in October 2023 as part of their routine threat-hunting endeavours. This phishing kit has ties with Tycoon 2FA, that has seen activity as far back as August 2023. Also known as a Man-in-the-Middle (MitM) attack, this involves a third-party, or a perpetrator, positioning themselves in a conversation between two parties. These two parties could be via a user and server, a user and application, a user and device, or any permutation of the above.

Simply put, it is dangerous as its versatility allows multiple avenues of attack via interception at any blind spots. To draw an analogy to this style of attack, think of it as a credit card skimmer placed on top of a POS terminal or ATM. The Tycoon 2FA kit has become highly widespread, with more than 1,100 domain names detected between late October 2023 and late February 2024. This coincides with Tycoon’s efforts to improve its PhaaS kit, with its most recent iteration being released in early 2024.

 

 

The Process: Operating Tycoon 2FA’s Phishing Kit

The stages of an attack are described as a 7-step process below:

• Stage 0 – Attackers craft emails with embedded URLs or QR codes and send them out to targets, tricking victims to access phishing pages.

• Stage 1 – Challenge-response authentication (such as CAPTCHA) is used as a security challenge to filter out bots and allow only human interactions through.

• Stage 2 – The victim’s email is extracted from the URL via background scripts. This is then used to generate and customise a believable phishing attack.

• Stage 3 – Users are quietly redirected closer to a fake login page via redirection, still on the same phishing site.

• Stage 4 – Using WebSockets, user’s data is exfiltrated and the user is presented with a fake Microsoft Login page with user’s login name to increase the page’s legitimacy.

• Stage 5 – Upon a user entering their information, the phishing kit mimics a 2FA challenge and intercepts the 2FA token. This lets them bypass the security measures.

• Stage 6 – The user has now fallen victim. They are directed to a page that looks legitimate, and no feedback is given about the attack’s success.

The “Middle” part of the AiTM attack uses servers to capture session cookies once the user passes the 2FA/MFA challenge. Attackers can then replay a user’s session and bypass MFA mechanisms.

PhaaS attacks will continue to grow in scale, capability, and complexity. As evinced by the continuous improvements made to Typhoon 2FA by the Saad Tycoon group, its growth has not gone unnoticed in the cyber security space.

Adventus Multifactor Authentication (MFA) Managed Services

Any one user or person can fall victim to a phishing attack. Traditional 2FA models are, by now, a mandatory layer of defence that businesses cannot do without.

Faced with the ever-evolving threat landscape and the continuous modifications of phishing kits, so too will a business’ cyber security posture. Research points to using security keys as a layer of stronger protection against such bulk phishing attacks, rather than SMS, app-based one-time passwords (OTPs), and other forms of traditional two-factor authentication means.

At Adventus, we believe in the same principles of evolving with your MFA needs.

We are a certified provider of cyber security solutions  with a dedicated SOC centre. We provide a comprehensive and customisable suite of protections that best suits the threat landscape of your organization. Our priority is being invested in your cyber security amnd managing it to stop attackers. Let us help you protect your interests, employees, and data. Contact us to find out more!