Tycoon 2FA: Analyzing and Hunting Phishing-as-a-Service Domains

EXECUTIVE SUMMARY

The advisory delves into the intricate world of Phishing-as-a-Service (PhaaS), spotlighting the clandestine operations of Tycoon2FA and its unexpected connections to the Dadsec phishing kit. A large-scale phishing campaign disseminated via email has been attributed to the threat actor "Storm-1575." This campaign employs sophisticated techniques to deceive users and harvest sensitive information. The advisory underscores the evolution of phishing tactics, emphasizing how threat actors leverage PhaaS platforms to lower the barrier to entry for cybercrime, enabling even non-technical individuals to launch effective phishing campaigns. The emergence of Tycoon2FA, with its advanced features and user-friendly interface, exemplifies this trend, making it a formidable tool in the hands of cybercriminals. It demonstrates the industrialization of phishing operations, where criminal infrastructure is modular, scalable, and monetized via subscriptions and licensing, just like legitimate SaaS businesses.[emaillocker id="1283"]

Tycoon2FA operates as an Adversary-in-the-Middle (AiTM) phishing kit, designed to intercept and capture user credentials and session cookies, effectively bypassing multi-factor authentication (MFA) mechanisms. The kit employs a multi-stage attack process: it begins with the distribution of phishing links via emails or QR codes, leading victims to a fake login page that mimics legitimate services like Microsoft 365 or Gmail. Upon entering their credentials and completing the MFA challenge, users unwittingly provide attackers with session cookies, granting unauthorized access to their accounts. Notably, Tycoon2FA incorporates advanced obfuscation techniques, such as JavaScript encrypted with a Caesar cipher and the use of invisible Unicode characters like Hangul Filler, to evade detection by security tools. Additionally, the kit includes features like browser fingerprinting and encrypted data exfiltration via Telegram, further enhancing its stealth capabilities. The advisory also reveals code-level similarities between Tycoon2FA and the Dadsec OTT phishing kit, suggesting potential code reuse or collaboration between their developers. This connection is substantiated by the public leak of Dadsec OTT’s source code, possibly serving as a foundation for Tycoon2FA's development.

The advisory concludes by emphasizing the growing sophistication and accessibility of PhaaS platforms like Tycoon2FA, which pose significant threats to organizations worldwide. The convergence of advanced technical features and ease of use in these kits enables a broader range of threat actors to conduct effective phishing campaigns, thereby amplifying the scale and impact of such attacks. The advisory advocates for heightened vigilance and proactive security measures, including employee education, robust email filtering, and the implementation of advanced threat detection systems, to combat the evolving phishing landscape. Furthermore, it highlights the importance of continuous monitoring and intelligence sharing among cybersecurity professionals to stay ahead of emerging threats. By shedding light on the hidden ties between Tycoon2FA and Dadsec's operations, the advisory aims to equip organizations with the knowledge necessary to defend against these sophisticated phishing campaigns. The broader takeaway is a warning: PhaaS continues to evolve rapidly, and defenders must adapt just as quickly.

THREAT PROFILE:

REFERENCES:

The following reports contain further technical details:

• https://securityonline.info/new-phishing-as-a-service-kits-bypass-mfa-target-microsoft-365-users-globally/#
• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/phaas-the-secrets-the-hidden-ties-between-tycoon2fa-and-dadsecs-operations/