The latest version of the AiTM phishing kit “Tycoon 2FA” has become one of the most widespread AiTM phishing kits over the last few months, leveraging more than 1,100 domain names as tracked from late October 2023 through February 2024. This new phishing-as-a-service (PhaaS) platform targets Microsoft 365 and Gmail accounts.
The most recent version that appeared in February “enhances its obfuscation and anti-detection capabilities and changes network traffic patterns”, bypassing 2FA protection using an adversary-in-the-middle (AitM) attackto steal session cookies.
Discovered by Sekoia researchers in October 2023, Tycoon 2FA was found to have been active since August 2023, when was offered for sale on private Telegram channels.
“Once the user completes the MFA challenge, and the authentication is successful, the server in the middle captures session cookies”, allowing the attacker to replay the session, bypassing MFA,
Sekoia outlined six stages of the attack:
- Stage 0 – Spreading phishing pages: Customers of the Tycoon 2FA PhaaS distribute their phishing pages using redirections from URLs and QR code.
- Stage 1 – Cloudflare Turnstile challenge: User clicking on the phishing URL are redirected to a page embedding a Cloudflare Turnstile challenge to prevent unwanted traffic.
- Stage 2 – Email extractor: a JavaScript code is executed in the background and redirects the user to another page depending on the presence of an email address.
- Stage 3 – Redirection page redirects to another web page of the phishing domain.
- Stage 4 – Fake Microsoft authentication login page and sockets: Embeds a deobfuscation function and obfuscated HTML code, which is the fake Microsoft authentication page.
- Stage 5 – 2FA relaying: Code builds and displays the Microsoft 2FA page.
- Stage 6 – Final redirection: Redirects the user to a legitimate URL so they don’t realize the previous page was malicious.
Ted Miracco, CEO, Approov Mobile Security had this to say:
“While Multi-Factor Authentication (MFA) increases security compared to single-factor authentication, sophisticated attacks involving Adversary-in-the-Middle (AiTM) techniques exemplified by the “Tycoon 2FA” phishing kit, can easily bypass most MFA protections. Some forms of MFA are more resistant to phishing attacks than others. Security keys that implement WebAuthn/FIDO2 standards offer a higher level of protection as they require the website to prove its identity to the key, which makes it significantly more difficult for attackers to intercept or replicate the MFA process.
“Certificate pinning is effective against attackers attempting to intercept or manipulate secure connections by presenting a fraudulent certificate. However, it does not prevent phishing attacks where the user is tricked into entering credentials into a malicious website or application.”
A move towards a passwordless solution would also help as it would likely take away this attack vector as well. Which once again shows that the world needs to shift towards solutions that provide protections from increasingly aggressive threat actors who will stop at nothing to achieve their aims.
Sekoia Details A MFA-Bypass Phishing Kit That Targets MS 365 & Gmail Users
Posted in Commentary with tags Sekoia on March 27, 2024 by itnerdThe latest version of the AiTM phishing kit “Tycoon 2FA” has become one of the most widespread AiTM phishing kits over the last few months, leveraging more than 1,100 domain names as tracked from late October 2023 through February 2024. This new phishing-as-a-service (PhaaS) platform targets Microsoft 365 and Gmail accounts.
The most recent version that appeared in February “enhances its obfuscation and anti-detection capabilities and changes network traffic patterns”, bypassing 2FA protection using an adversary-in-the-middle (AitM) attackto steal session cookies.
Discovered by Sekoia researchers in October 2023, Tycoon 2FA was found to have been active since August 2023, when was offered for sale on private Telegram channels.
“Once the user completes the MFA challenge, and the authentication is successful, the server in the middle captures session cookies”, allowing the attacker to replay the session, bypassing MFA,
Sekoia outlined six stages of the attack:
Ted Miracco, CEO, Approov Mobile Security had this to say:
“While Multi-Factor Authentication (MFA) increases security compared to single-factor authentication, sophisticated attacks involving Adversary-in-the-Middle (AiTM) techniques exemplified by the “Tycoon 2FA” phishing kit, can easily bypass most MFA protections. Some forms of MFA are more resistant to phishing attacks than others. Security keys that implement WebAuthn/FIDO2 standards offer a higher level of protection as they require the website to prove its identity to the key, which makes it significantly more difficult for attackers to intercept or replicate the MFA process.
“Certificate pinning is effective against attackers attempting to intercept or manipulate secure connections by presenting a fraudulent certificate. However, it does not prevent phishing attacks where the user is tricked into entering credentials into a malicious website or application.”
A move towards a passwordless solution would also help as it would likely take away this attack vector as well. Which once again shows that the world needs to shift towards solutions that provide protections from increasingly aggressive threat actors who will stop at nothing to achieve their aims.
Leave a comment »