Click here to visit Original posting
- Experts warn Tycoon2FA has gotten new obfuscation and evasion upgrades
- The platform is used to bypass MFA on Google and Microsoft accounts
- It is hugely popular among cybercriminals
Tycoon2FA, an infamous phishing-as-a-service (PhaaS) platform, has been greatly improved, becoming even more difficult to spot and eliminate, experts have warned.
Cybersecurity researchers Trustwave said they have spotted three new upgrades to the PhaaS platform, best known for its ability to bypass multi-factor protection (MFA) on Microsoft and Google accounts.
It operates as an adversary-in-the-middle (AiTM) attack, intercepting login credentials and session cookies to gain unauthorized access to user accounts, even those secured with MFA. It was also upgraded numerous times in the past, with its operators being mostly focused on obfuscation and evasion.
Monitor your credit score with TransUnion starting at $29.95/month
TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.
Preferred partner (What does this mean?)View Deal
(R)evolution
Now, Trustwave says Tycoon2FA uses invisible Unicode characters to hide binary data within JavaScript from human eyes, evading manual and static pattern-matching analysis.
Then, it switched from Cloudflare Turnstile to a self-hosted CAPTCHA rendered via HTML canvas with randomized elements, reportedly to bypass fingerprinting and flagging by domain reputation systems.
Finally, it now includes anti-debugging JavaScript code that detects browser automation tools and blocks some analytics tools.
These changes aren’t revolutionary, or particularly new in the PhaaS ecosystem, Trustwave stresses. However, when combined, they make detection and analysis a lot more difficult.
Tycoon 2FA was first spotted in mid-2023, but with the start of 2024, it’s gotten a major upgrade, with the tool using roughly 1,100 domains, and is being used in “thousands” of phishing attacks.
The platform is sold on underground forums, with prices starting at $120 for 10 days of access, making it accessible to a wide range of cybercriminals.
Some researchers claim the platform is very popular in the underground community. Apparently, between August 2023 (when it first launched) and March 2024, the Bitcoin wallet linked to the operation raked in more than $400,000 worth of cryptos at the time.
Via BleepingComputer
You might also like
- A new phishing kit is targeting Gmail and Microsoft email accounts — and it can even bypass 2FA
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers