March 25, 2024 at 01:02PM
Cybercriminals are increasingly using the ‘Tycoon 2FA’ PhaaS platform to target Microsoft 365 and Gmail accounts, bypassing two-factor authentication. Sekoia’s report details the multi-step attacks and the evolution of the kit, including enhancements to JavaScript and HTML code, with substantial operations involving over 1,800 transactions and numerous cybercriminals utilizing the platform.
Based on the meeting notes, here are the key takeaways:
1. Cybercriminals are increasingly using the Tycoon 2FA phishing-as-a-service (PhaaS) platform to target Microsoft 365 and Gmail accounts and bypass two-factor authentication protection.
2. The Tycoon 2FA kit has evolved since its discovery, with a new stealthier version released in 2024. It leverages 1,100 domains and has been observed in thousands of phishing attacks.
3. The attack involves a multi-step process where the threat actor steals session cookies, bypassing multi-factor authentication mechanisms.
4. The latest version of Tycoon 2FA introduced significant modifications to improve its phishing and evasion capabilities. It now delays loading malicious resources, uses pseudorandom names for URLs, and identifies Tor network traffic and IP addresses linked to data centers.
5. Evidence suggests a broad user base of cybercriminals utilizing Tycoon 2FA for phishing operations, as indicated by over 1,800 transactions in the Bitcoin wallet linked to the operators.
6. Other notable platforms that can bypass 2FA protections include LabHost, Greatness, and Robin Banks.
7. A repository with over 50 entries of indicators of compromise (IoCs) linked to the Tycoon 2FA operation is available from Sekoia.
Let me know if you need any further information or clarification.