Emerging Tycoon 2FA Phishing Kit Sparks Alarm in Cybersecurity Circles

The cybersecurity community has been significantly alarmed by the emergence of a new phishing kit named Tycoon 2FA. Uncovered by the Sekoia Threat Detection & Research (TDR) team in October 2023, and detailed in an advisory released recently, this kit is linked to the Adversary-in-The-Middle (AiTM) technique and reportedly exploited by various threat actors for extensive and successful cyberattacks.

According to Sekoia’s findings, the Tycoon 2FA platform has been operational since at least August 2023. Since its detection, Sekoia has actively monitored the infrastructure connected to Tycoon 2FA. Analysis indicates that the kit has become one of the most prevalent AiTM phishing kits, with over 1,100 domain names identified between October 2023 and February 2024.

The Tycoon 2FA phishing kit employs multiple stages to carry out its malicious activities efficiently. Initially, victims are directed through email attachments or QR codes to a page featuring a Cloudflare Turnstile challenge, intended to deter unwanted traffic. After successful completion, users encounter a counterfeit Microsoft authentication page, where their credentials are harvested.

Subsequently, the phishing kit transmits this data to the legitimate Microsoft authentication API, intercepting session cookies to bypass Multi-Factor Authentication (MFA).

In its latest advisory, Sekoia revealed that it detected a revised iteration of Tycoon 2FA in February 2024, showcasing notable alterations to its JavaScript and HTML coding. These modifications serve to amplify its phishing functionalities. Particularly noteworthy is its restructuring of resource retrieval and broadening of traffic filtering mechanisms aimed at preventing bot activity and thwarting analysis efforts.

You can read the full article here – https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/