[ad_1]
The developers of a notorious 2FA account security bypass tool have launched an updated version of their ‘as-a-service’ kit that is targeting Microsoft 365 and Gmail account holders.
Researchers from the Sekoia Threat Detection and Research team have published an in-depth analysis of Tycoon 2FA, a notorious adversary-in-the-middle kit, that is being distributed via cybercrime forums and marketplaces with versions tailored to both Gmail and Microsoft 365 user attacks.
Although so-called phishing-as-a-service is nothing new in cybersecurity, this particular kit, as the Tycoon 2FA name indicates, is known for its ability to bypass 2FA protections and its popularity among cybercriminals.
What Security Researchers Uncovered About Tycoon 2FA
The AITM kit was first spotted by the Sekoia Threat Detection & Research team in October 2023 when an investigation at the time found this to be linked to a phishing-as-a-service product called Tycoon 2FA. The latter was known to have been active since August 2023. Further monitoring of Tycoon 2FA phishing page infrastructures and the campaigns using it revealed it to be “one of the most widespread AITM phishing kits over the last few months,” the researchers said.
Fast-forward to the middle of February 2024, and the Sekoia threat detectors identified a new version of Tycoon 2FA being widely distributed. Careful monitoring of source code updates revealed that the new version had improved obfuscation and anti-detection capabilities.
A regular poster of changes between versions of Tycoon 2FA to a dedicated Telegram channel, and going by a multitude of names, is believed by Sekoia to be the developer of the phishing kit. Researchers were able to find readymade and operational phishing pages targeting Gmail accounts for sale, starting at just $120 for 10 days of usage, as well as others designed for Microsoft 365 accounts.
How Tycoon 2FA Attackers Bypass Two-Factor Protections
In order to bypass the 2FA protection of your account, Tycoon 2FA attacks seek to redirect victims to a cloned account login page. Once the username and password have been entered, Tycoon 2FA then presents what appears to be a genuine 2FA challenge to confirm the identity of the user. However, what the criminals are doing is, the researchers say, “intercepting the 2FA token or response to bypass security measures.” The session cookies for this login are captured and these can then be reused at will in order to bypass the real 2FA protections on the account. The phishing attack commences by email, with messages containing embedded malicious links or QR codes.
“When victims fall prey to these multi-factor authentication bypass phishing attacks,” Max Gannon, cyber intelligence analysis manager at Cofense, says, “they effectively log themselves in and authorize the access that MFA simply can’t protect against.” It’s not a failure on the part of the 2FA mechanism itself as the credentials being input are genuine enough. “These kits essentially reset the phishing arms race to where we were before the advent of MFA,” Gannon concludes, “where the key factor to preventing account compromise is the person being phished.”
I have reached out to both Google and Microsoft for a statement.
Follow me on Twitter or LinkedIn. Check out my website or some of my other work here.
[ad_2]
——————————————————–