Attackers are hacking Microsoft 365 and Gmail accounts using a new phishing platform.
Cybercriminals are increasingly using the new phishing platform Tycoon 2FA to hack into Microsoft 365 and Gmail accounts, while bypassing two-factor authentication. This trend was revealed by experts from Sekoia .
Tycoon 2FA was discovered in October 2023, but the attackers started using it in August. Then the hacker group Saad Tycoon began to offer its product in closed Telegram channels. In fact, the service operates on the "phishing-as-a-service" model, that is, it is provided to other criminals for rent.
In 2024, a new, more secretive version of Tycoon 2FA was released, which indicates the constant efforts of developers to improve it. At the moment, the service uses 1,100 domains and has been seen in thousands of phishing attacks.
Attacks using Tycoon 2FA take place in several stages:
According to Sekoia, Tycoon 2FA has similarities to other phishing platforms like Dadsecond, which may indicate code reuse or collaboration between developers.
The scale of distribution of Tycoon 2FA is quite impressive: over $394 thousand in cryptocurrency has been received on the operators crypto wallet since October 2019, and a significant influx of funds has been recorded since August 2023-the moment the platform was launched. Only in the first 10 days after the release in August, hackers received more than 530 transactions worth over $120 each.
Analysts say that the latest version of Tycoon 2FA creators have improved quite well. They changed the code to JavaScript and HTML, revised the order in which resources are loaded, and increased bot filtering.
For example, malicious resources are now loaded only after successfully passing the Cloudflare Turnstile check. In addition, attackers use pseudorandom URLs to hide their activity.
In the new version of Tycoon 2FA, the mechanisms for recognizing and blocking traffic from the anonymous Tor network, as well as from IP addresses of data centers, have improved. The platform started blocking certain user-agent headers that can be used by detection tools.
Cybercriminals are increasingly using the new phishing platform Tycoon 2FA to hack into Microsoft 365 and Gmail accounts, while bypassing two-factor authentication. This trend was revealed by experts from Sekoia .
Tycoon 2FA was discovered in October 2023, but the attackers started using it in August. Then the hacker group Saad Tycoon began to offer its product in closed Telegram channels. In fact, the service operates on the "phishing-as-a-service" model, that is, it is provided to other criminals for rent.
In 2024, a new, more secretive version of Tycoon 2FA was released, which indicates the constant efforts of developers to improve it. At the moment, the service uses 1,100 domains and has been seen in thousands of phishing attacks.
Attacks using Tycoon 2FA take place in several stages:
- Criminals distribute malicious links or QR codes via email (thus, victims are lured to phishing sites).
- The platform filters bots using the Cloudflare Turnstile protection mechanism, which allows only real users.
- The victim's email address is extracted from the URL to personalize the attack.
- The user is redirected to another phishing page.
- The screen displays a fake Microsoft Account login page to steal credentials.
- The platform displays a fake 2FA page to intercept the one-time code and bypass two-factor authentication.
- The person is redirected back to the legitimate site to hide the traces of the attack.
According to Sekoia, Tycoon 2FA has similarities to other phishing platforms like Dadsecond, which may indicate code reuse or collaboration between developers.
The scale of distribution of Tycoon 2FA is quite impressive: over $394 thousand in cryptocurrency has been received on the operators crypto wallet since October 2019, and a significant influx of funds has been recorded since August 2023-the moment the platform was launched. Only in the first 10 days after the release in August, hackers received more than 530 transactions worth over $120 each.
Analysts say that the latest version of Tycoon 2FA creators have improved quite well. They changed the code to JavaScript and HTML, revised the order in which resources are loaded, and increased bot filtering.
For example, malicious resources are now loaded only after successfully passing the Cloudflare Turnstile check. In addition, attackers use pseudorandom URLs to hide their activity.
In the new version of Tycoon 2FA, the mechanisms for recognizing and blocking traffic from the anonymous Tor network, as well as from IP addresses of data centers, have improved. The platform started blocking certain user-agent headers that can be used by detection tools.
