The cybersecurity landscape faces a growing threat with the emergence of the Tycoon 2FA phishing kit, a sophisticated Phishing-as-a-Service (PhaaS) platform designed to bypass MFA and evade detection.
First identified in August 2023, Tycoon 2FA has undergone significant updates, making it one of the most formidable tools for cybercriminals targeting services like Microsoft 365 and Gmail.
Tycoon 2FA utilizes an Adversary-in-the-Middle (AiTM) approach, employing a reverse proxy server to intercept user credentials and session cookies.
The phishing process begins with victims being lured through malicious links in emails or QR codes. A Cloudflare Turnstile challenge then filters out bots, ensuring only human users proceed.
Here, the security analysts noted that the users are subsequently redirected to a fake login page mimicking Microsoft or Google authentication portals, where their credentials and MFA codes are captured in real-time.
.webp)
Finally, session cookies are intercepted during the MFA process, allowing attackers to gain unauthorized access without needing the victim’s credentials again.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Innovations in Evasion
The latest version of Tycoon 2FA, observed in November 2024, incorporates advanced tactics to obstruct analysis and detection:
- Obstructive Source Code: The phishing pages use specially crafted JavaScript and HTML code that omits traditional resource calls, complicating automated analysis.
- Dynamic Code Generation: Each execution generates unique code, evading signature-based detection systems.
- Blocking Security Tools: The kit detects penetration-testing tools like Burp Suite and redirects users to blank pages if such tools are identified.
- Keystroke Monitoring: It listens for developer shortcuts or inspection keystrokes, blocking actions or redirecting users to legitimate sites like OneDrive.
- Context Menu Disabling: Right-click menus are disabled to prevent manual inspection of web elements.
- Clipboard Manipulation: Attempts to copy text from the phishing page result in overwritten clipboard content, hindering data extraction.
Tycoon 2FA’s ability to bypass MFA protections poses a severe risk to organizations relying on session-based authentication.
By leveraging session cookies, attackers can maintain persistent access even if credentials are changed.
This capability has made Tycoon 2FA a popular choice among cybercriminals, with over 1,100 domains implicated in phishing campaigns.
Financially, the operators of Tycoon 2FA have profited significantly, with reports indicating cryptocurrency earnings nearing $400,000 by March 2024.
The kit is sold on platforms like Telegram at prices as low as $120 for a 10-day phishing campaign.
To counteract threats like Tycoon 2FA, organizations must adopt layered security measures:-
- Behavioral-based detection systems
- Phishing-resistant MFA methods
- Educate employees
- Deploy advanced email filtering solutions
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
