A brand new phishing kit is gaining popularity in the underground community, researchers claim.
Tycoon 2FA does a good job of bypassing security analysts while allowing threat actors to bypass even two-factor authentication (2FA), according to cybersecurity experts at Sekoia, who recently detailed the latest version of Phishing-as-a-Service (PhaaS) . ) solution.
According to the report, Tycoon 2FA was first spotted in mid-2023, but received a major upgrade in early 2024, with the tool hitting around 1,100 domains and being used in “thousands” of phishing attacks.
Bypass 2FA
To put things into perspective, the Bitcoin wallet associated with the operation has seen more than 500 transactions since August last year, when the PhaaS was first launched. These transactions amounted to approximately $120, the price of admission for a ten-day phishing link.
By March this year, operators had raised almost $400,000 worth of cryptos.
As for the upgrades, there are two crucial ones, Sekoia reports. The first makes it more difficult to recognize and analyze the tool. With changes to the JavaScript and HTML code, changes to the order of resource retrieval, and better filtering, parsing the service was much more challenging. Additionally, all Tor traffic and IP addresses are better identified and bad traffic is rejected depending on specific user agent strings.
The second is the ability to bypass two-factor authentication. By using a reverse proxy server to host the phishing page, the attackers can intercept the victim’s input and steal session cookies and 2FA codes.
“Once the user completes the MFA challenge and authentication is successful, the center server records session cookies,” Skoia said in his report.
Multi-factor authentication has always been considered a great defense mechanism, but lately threat actors have gotten better at working around it.
Through BleepingComputer