As cyber threats continue to evolve, adversary-in-the-middle (AiTM) phishing attacks have emerged as a sophisticated method for bypassing multi-factor authentication (MFA) protections. Among these, the Tycoon 2FA phishing kit has gained significant traction. Sold on platforms like Telegram, this phishing-as-a-service (PhaaS) tool is designed to exploit vulnerabilities in widely-used services like Microsoft 365 and Gmail. With its ability to bypass MFA and advanced obfuscation techniques, Tycoon 2FA represents a growing threat to organizations worldwide, necessitating enhanced security measures to protect against these advanced phishing campaigns.
Understanding AiTM Attacks
AiTM attacks involve attackers positioning a server between the victim and the legitimate service, acting as a reverse proxy. This server hosts a phishing webpage that captures user inputs and relays them to the legitimate service. When users complete the MFA challenge, the attacker captures session cookies, allowing them to bypass MFA even if credentials change. This method effectively intercepts login details during a legitimate session-based authentication, making it a potent tool for cybercriminals. For more details, visit zvelo’s article on AiTM attacks.
How Tycoon 2FA Works
According to a detailed report by the threat detection team at Sekoia, Tycoon 2FA employs a six-stage attack sequence to effectively bypass MFA protections and harvest session cookies. For more technical details, you can refer to the original report here.
- Stage 0: Spreading Phishing Pages. Phishing pages are distributed through URLs and QR codes embedded in emails. These emails often use HR, finance, or security themes to lure targets, particularly employees in finance, accounting, and executive roles.
- Stage 1: Cloudflare Turnstile Challenge. The initial page includes a Cloudflare Turnstile challenge to filter unwanted traffic. JavaScript interacts with a command and control (C2) server to decide whether to proceed to the next stage.
- Stage 2: Email Extractor. This stage extracts and decodes email addresses from URLs using JavaScript. Users are redirected based on the presence and format of the email address.
- Stage 3: Redirection Page. Invisible to the user, this stage involves redirecting to another webpage within the phishing domain using simplified HTML code.
- Stage 4: Fake Microsoft Login Page. An obfuscated JavaScript creates a fake Microsoft login page. This stage captures credentials and 2FA codes through WebSocket communication and engages in fingerprinting and handling user interactions.
- Stage 5: 2FA Relaying. The JavaScript from the previous stage interacts with the HTML to display the 2FA page. Commercial proxy servers relay user inputs to the legitimate Microsoft authentication API, capturing session cookies to bypass MFA.
- Stage 6: Final Redirection. After authentication, users are redirected to legitimate-looking URLs. This final redirection helps maintain the illusion of legitimacy, ensuring the victim remains unaware of the malicious nature of the previous pages.
Key Changes in the Latest Version of Tycoon 2FA
According to Sekoia’s report, this latest version of Tycoon 2FA introduced several significant changes to the phishing kit:
- Enhanced Stealth and Evasion. Improved filtering mechanisms reject traffic from bots, analysis tools, and certain datacenter IPs. This helps evade detection and analysis efforts more effectively.
- Modified Resource Retrieval. The order in which resources are retrieved has been changed. Enhanced filtering ensures that unwanted traffic is blocked more efficiently.
- JavaScript and HTML Changes. Updated deobfuscation methods now remove unnecessary mathematical operations, making the phishing kit more streamlined and harder to analyze.
- Integration of Cloudflare Turnstile Challenge. The Cloudflare Turnstile challenge is now part of both the initial and login stages, improving the overall security measures against unwanted traffic.
- Pseudorandom URLs. URLs are now set using pseudorandom names, which helps in avoiding detection and makes it more difficult for defenders to identify and block malicious domains.
These changes reflect a deliberate effort by the developers to enhance the kit’s stealth and evasion techniques, making it more resilient against detection and analysis.
Options for Protecting Against Tycoon 2FA AiTM Phishing Attacks
As AiTM attacks and phishing kits like Tycoon 2FA continue to evolve and grow in popularity, it is crucial for organizations to adopt advanced strategies to defend against these types of sophisticated phishing attacks. Implementing traditional MFA solutions is a start, but they must be augmented with more robust, phish-resistant technologies and comprehensive threat prevention tools. Below are some key strategies to consider:
Enhanced MFA Solutions
While traditional MFA can deter many attackers, it has its limitations, especially against AiTM attacks. To bolster security, organizations should adopt more advanced, phish-resistant MFA solutions such as Fast ID Online (FIDO) v2.0 and certificate-based authentication. These technologies provide stronger protection by requiring both the user and the website to verify each other’s identities.
Advanced Phishing Awareness Training
Traditional phishing awareness training often falls short by relying on outdated indicators like poor grammar and unsecured HTTP connections. As cybercriminals leverage increasingly sophisticated tactics to bypass traditional security measures, phishing awareness training programs need to evolve accordingly. To counter advanced phishing tactics, organizations should educate users on more subtle signs, such as verifying the actual sender of an email and scrutinizing hyperlinks before clicking. This comprehensive approach empowers users to recognize sophisticated phishing attempts, enhancing their overall cybersecurity vigilance. For more detailed information, visit Phishing Awareness Training for the Generative AI Era.
PhishBlocklist Protection for AiTM
Once a user lands on the attacker’s phishing page, it’s too late for any security layer to protect against the credential harvesting. And, just as attackers continue to devise ways to subvert the MFA protection, eventually they’ll find a way around FIDO v2.0. Rather than focusing on an authentication method, PhishBlocklist delivers comprehensive protection against AiTM by blocking users from accessing the phishing page for maximum protection against credential harvesting TTPs that lead to ransomware, breaches, and other cyber-attacks. PhishBlocklist, one of the zveloCTI™ Cyber Threat Intelligence Feeds, has proven market-leading detection coverage and speed of active phishing threats from the global ActiveWeb traffic stream across web surfing, email, SMS/text and other applications. Further enhanced with zvelo’s predictive phishing detection, PhishBlocklist delivers validated active phishing threats that are enriched with additional metadata attributes such as date detected, targeted brand, phishing campaign identification, and more.
As phishing kits and AiTM phishing attacks become more sophisticated, organizations must remain vigilant and proactive in their defense strategies. Staying ahead of these threats requires continuous adaptation and a multi-layered security approach, ensuring that both technology and human factors are optimized to protect against the latest phishing techniques. For more insights and detailed strategies on fortifying your organization’s defenses, stay connected with zvelo’s threat intelligence updates via the zvelo blog.
