A new phishing-as-a-service (PhaaS) platform, named 'Tycoon 2FA', has been increasingly used by cybercriminals to target Microsoft 365 and Gmail accounts, effectively bypassing two-factor authentication (2FA) protections. Discovered by Sekoia analysts in October 2023, Tycoon 2FA has been active since at least August 2023, when it was offered by the Saad Tycoon group through private Telegram channels.
The platform is similar to other adversary-in-the-middle (AitM) platforms like Dadsec OTT, hinting at possible code reuse or collaboration between developers. A new, stealthier version of Tycoon 2FA was released in 2024, showcasing the developers' ongoing efforts to refine the kit. Currently, the service utilizes 1,100 domains and has been implicated in thousands of phishing attacks.
Tycoon 2FA operates through a multi-step process that involves using a reverse proxy server hosting the phishing web page to steal session cookies. "Once the user completes the MFA challenge, and the authentication is successful, the server in the middle captures session cookies," Skoia explains. This allows the attacker to replay a user's session and bypass multi-factor authentication (MFA) mechanisms.
The latest version of Tycoon 2FA, released in 2024, has introduced significant modifications to enhance its phishing and evasion capabilities. These changes include updates to the JavaScript and HTML code, alterations in resource retrieval order, and more extensive filtering to block bot and analytical tool traffic.
The scale of operations is substantial, with a broad user base of cybercriminals currently utilizing Tycoon 2FA for phishing operations. The Bitcoin wallet linked to the operators has recorded over 1,800 transactions since October 2019, with a notable increase starting in August 2023. By mid-March 2024, the threat actors' wallet had received a total of $394,015 worth of cryptocurrency.
Max Gannon, Cyber Intelligence Analysis Manager at Cofense, commented on the effectiveness of these MFA bypass kits: "These multi-factor authentication (MFA) bypass kits are undoubtedly effective which has likely led to some people claiming it is a failure on the part of the MFA. However, MFA prevents someone with stolen credentials from accessing resources without authorization. When victims fall prey to these MFA bypass phishing attacks, they effectively log themselves in and authorize the access that MFA simply can’t protect against. These kits essentially reset the phishing arms race to where we were before the advent of MFA, where the key factor to preventing account compromise is the person being phished."
Tycoon 2FA is a recent addition to a PhaaS space that already offers cybercriminals a variety of options to bypass 2FA protections. Other notable platforms include LabHost, Greatness, and Robin Banks. For those concerned about Tycoon 2FA, Sekoia has made available a repository with over 50 indicators of compromise (IoCs) linked to the operation.