Tycoon 2FA: A Prevalent Phishing-as-a-Service Threat Bypassing Multi-Factor Authentication - Cyber and Fraud Centre

In recent months, cyber security researchers have observed a significant increase in phishing attacks leveraging a toolkit called Tycoon 2FA. This phishing-as-a-service platform allows cybercriminals to effectively bypass multi-factor authentication (MFA) protections for Microsoft 365 and Gmail accounts.

Background

Tycoon 2FA first emerged in August 2023, advertised through private Telegram channels. It operates using an adversary-in-the-middle (AiTM) technique, where a reverse proxy server hosts the phishing page and relays the victim’s credentials and MFA inputs to the legitimate service. This allows the attacker to capture the session cookies, enabling them to bypass MFA and gain unauthorised access.

The Phishing Flow

Tycoon 2FA phishing attacks typically begin with emails containing malicious links or QR codes that direct victims to a phishing page. This page employs a Cloudflare Turnstile challenge to filter out bots and only allow human interactions. If the victim passes this challenge, they are presented with a fake Microsoft login page that harvests their credentials.

Crucially, the phishing kit can then mimic various 2FA prompts, such as Microsoft Authenticator push notifications, one-time passwords via SMS or app, or phone call verifications. By relaying the 2FA inputs, the attacker obtains valid session cookies, effectively bypassing MFA protections.

After a successful authentication, victims may be redirected to a legitimate-looking error page, obscuring the phishing attack’s success.

Continuous Evolution

The Tycoon 2FA toolkit has undergone continuous development, with a new version released in February 2024 that enhances obfuscation and anti-detection capabilities. These changes include alterations to JavaScript and HTML code, modified resource retrieval order, and improved filtering to block traffic from bots and analysis tools.

Widespread Adoption and Monetisation

Tycoon 2FA has gained significant traction among cybercriminals due to its effectiveness and relative affordability. Researchers have identified over 1,200 domains associated with the toolkit since August 2023, indicating widespread adoption.

Furthermore, analysis of a Bitcoin wallet allegedly linked to the Tycoon 2FA operators suggests that the service has generated substantial revenue, with over $394,000 worth of cryptocurrency received as of mid-March 2024.

Mitigating the Threat

To protect against Tycoon 2FA and similar phishing threats, individuals and organisations should:

Exercise caution when receiving unsolicited emails or messages containing links or attachments, even if they appear legitimate.
Implement advanced email security solutions to detect and block phishing attempts.
Provide regular security awareness training to employees, emphasising the importance of verifying the authenticity of login prompts and MFA requests.
Implement robust multi-factor authentication mechanisms beyond SMS or email-based methods, such as hardware security keys or biometrics.
Regularly monitor and analyse logs for suspicious authentication activities or failed login attempts.
Stay informed about the latest phishing techniques and employ proactive threat hunting practices to identify and mitigate emerging threats.

As the Tycoon 2FA toolkit continues to evolve, maintaining vigilance and implementing multi-layered security measures are crucial to mitigating the risks associated with this prevalent phishing-as-a-service threat.

In depth analysis of the threat can be found at:

https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/

Additional information at:

https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/

27.03.24

Threat Intelligence Alerts