Tycoon 2FA, an AiTM (Adversary-in-The-Middle) phishing kit, was recently analyzed in detail by the analyst team at Sekoia. This Phishing-as-a-Service (PhaaS) platform, active since August 2023, has been identified as being used by multiple threat actors to execute extensive and effective attacks.
Hackers offer and the evolution of Tycoon 2FA
In October 2023, during routine checks, analysts found this AiTM phishing kit and noticed that Tycoon 2FA has quickly become one of the most popular kits of its kind, with more than 1,100 domains detected in recent months.
Tycoon 2FA works in several stages to carry out its activities. The kit starts by trying to trick victims into visiting a page that presents a Cloudflare security challenge to prevent unwanted traffic. “Cloudflare Checking if the site connection is secure” works by presenting a test or challenge to users when they try to access a website. This test can be, for example, a CAPTCHA check or a security question. If the user passes the test, they are allowed access to the site. If not, access is blocked.
In the case of Tycoon 2FA, users are presented with a fake Microsoft login page where their credentials are harvested. The phishing kit steals the user’s credentials and uses them to log into their Microsoft account, bypassing multi-factor authentication.
The screenshots appear on the Telegram channel of the “Saad Tycoon Group”, which appears to advertise and provide details about a service called “Tycoon 2FA”. They provide some important information:
- Presentation of offers: On December 11th, new prices and plans are introduced for the month of December, suggesting that they are special year-end prices for different internet domains (.com, .ru, .su, .fr, etc.), with variable costs (120 $-$320) depending on the duration of the plans (10, 14, 20 or 30 days).
- Expiration of plans: It states that the 10-day and 14-day plans will expire on January 1, 2024, inviting users to take advantage of the last few days of the year.
- Multiple domains: In another post, it says that users can now choose any domain extension, including .ru, .su, .fr, .com, .net, .org and others.
- Service Features: Another post provides a list of Tycoon 2FA benefits and features, including:
- more sophisticated or effective ways to capture credentials and bypass security systems for Office365, Gmail and other services.
- The ability to bypass two-factor authentication (2FA) and provide cookies that can last up to a year.
- Complete protection against detection by various methods.
- The commitment that “the service delivers optimal results, keeping the promise we made”.
The recent version of Tycoon 2FA, identified in February 2024, brings improvements in masking and detection avoidance capabilities, changing the way data flows through the network. The changes include changes to JavaScript and HTML code, strengthening JavaScript downloads at various stages to handle 2FA implementation and data transmission, and an adaptation to avoid detection by identifying and bypassing various traffic patterns.
In response to this development, Sekoia reviewed the changes and highlighted the new infrastructure, providing the cybersecurity community with information for monitoring and mitigating the risks associated with Tycoon 2FA.
Many people mistakenly believe that if they have enabled 2FA on an account, then it can no longer be compromised. Unfortunately, they are far from the truth. Even with modern technical security measures in place, there is always a risk. That’s why it’s essential for people to know various cybersecurity methods, including how to spot and avoid phishing attacks, to better protect their personal and business accounts.
Tags: Tycoon #2FA PhaaS service twostep authentication unnecessary Microsoft Google
