Sekoia ApS Warns about ‘Tycoon 2FA,’ a Phishing Kit Evading MFA

Highlights:

• The Tycoon 2FA phishing kit, according to Sekoia experts, is a severe threat to cybersecurity because of its advanced methods and possible linkages to other well-known phishing platforms.
• Many people mistakenly believe that the account cannot be compromised if they have 2FA enabled on it.

Cybersecurity researchers from the Threat Detection and Research team of Sekoia ApS warned about “Tycoon 2FA”. It’s a newly discovered phishing kit working with adversary-in-the-middle technology that is leveraged by many malicious actors to execute sophisticated attacks.

The phishing kit has been operational since at least August 2023 and is said to be one of the most retaining AiTM phishing kits, with more than 1,100 domain names spotted between October 2023 and February 2024.

Tycoon 2FA uses a variety of stages to execute its malevolent operations. To stop unwanted traffic, the kit first tries to fool consumers into accessing a page that presents a Cloudflare security challenge. After that, users are taken to a fraudulent Microsoft authentication page, where their login information is stolen. To get around multifactor authentication, the phishing kit sends the information to the official Microsoft authentication API via intercepting session cookies.

The phishing kit is also changing; according to reports, changes to Tycoon 2FA in February improved its capabilities by refining stealth techniques to avoid examination, expanding traffic filtering, and restructuring resource retrieval. Notable alterations include adjustments to HTML and JavaScript codes, grouping JavaScript downloads into several phases to manage data transfer and 2FA setup, and adjusting to evade detection by recognizing and avoiding varied traffic patterns.

The Tycoon 2FA phishing kit, according to Sekoia experts, is a severe threat to cybersecurity because of its advanced methods and possible linkages to other well-known phishing platforms. “We expect the Tycoon 2FA PhaaS to remain a prominent threat within the AiTM phishing market in 2024,” the researchers added.

Max Gannon, cyber intelligence analysis manager at phishing detection and response solutions company Cofense Inc., reported that “these multifactor authentication bypass kits are undoubtedly effective, which has likely led to some people claiming it is a failure on the part of the MFA. However, MFA prevents someone with stolen credentials from accessing resources without authorization.”

“When victims fall prey to these MFA bypass phishing attacks, they effectively log themselves in and authorize the access that MFA simply can’t protect against. These kits essentially reset the phishing arms race to where we were before the advent of MFA, where the key factor to preventing account compromise is the person being phished,” Gannon explained.

Erich Kron, a security awareness advocate at security awareness training company KnowBe4 Inc., stated that the attack method “demonstrates why it is important to educate people on how to spot and report email phishing attacks, even if they have 2FA enabled. Many people mistakenly believe that if they have 2FA enabled on an account, then the account cannot be compromised. Unfortunately, that is far from the truth. Even with modern technical security controls in place, it’s more important than ever to educate people about tactics such as this so they have a much better chance of defending themselves and their organizations.”