- Experts warn Tycoon2FA has obtained new upgrades of obscure and escape
- The platform is used to bypass the MFA on Google and Microsoft accounts
- It is extremely popular among cybercriminals
Tycoon2FA, a infamous phishing platform as a service (Phaas), has been considerably improved, becoming even more difficult to identify and eliminate, warned the experts.
Trustwave cybersecurity researchers said they had spotted three new upgrades to the Phaas platform, better known for its ability to circumvent multi-factor protection (MFA) on Microsoft and Google accounts.
It operates as an opponent attack in the environment (AitM), intercepting connection identification information and session cookies to obtain unauthorized access to user accounts, even those secured with MFA. It has also been improved several times in the past, its operators being mainly concentrated on obscure and escape.
(Revolution
Now Trustwave says that Tycoon2fa uses unicode invisible characters to mask binary data in JavaScript from human eyes, a manual and static analysis of the models.
Then, it went from Cloudflare to a self-hosted captha rendered via an HTML canvas with randomized elements, to bypass digital fingerprints and signal them by domain reputation systems.
Finally, it now includes the JavaScript anti-debugging code which detects the automation tools of the browser and blocks certain analysis tools.
These changes are not revolutionary, or particularly new in the Phaas ecosystem, the constraints of trust. However, when combined, they make detection and analysis much more difficult.
The Tycoon 2FA was spotted for the first time in mid-2023, but with the beginning of 2024, it obtained a major upgrade, with the tool using approximately 1,100 areas, and is used in “thousands” of phishing attacks.
The platform is sold on underground forums, with prices from $ 120 for 10 days of access, which makes it accessible to a wide range of cybercriminals.
Some researchers say that the platform is very popular in the underground community. Apparently, between August 2023 (when it was launched for the first time) and March 2024, the Bitcoin portfolio linked to the operation raised more than $ 400,000 in cryptos at the time.
Via Bleeping Compompute
