Tycoon Phishing Kit
The emergence of Tycoon 2FA, a new phishing kit, has sparked significant concerns within the cybersecurity community. Marketed as part of the Tycoon Group's Phishing-as-a-Service (PaaS) on Telegram, it is available for as little as $120. Among its key features are the capabilities to bypass Microsoft two-factor authentication, achieve top-level link speed, and utilize Cloudflare to circumvent antibot measures, thereby ensuring the persistence of undetected phishing links.
In mid-October 2023, the phishing kit was updated, with cybercriminals promising smoother link and attachment operations. This update coincided with integrating the WebSocket technology into their phishing pages, enhancing browser-to-server communication for more efficient data transmission to the actors' servers.
By February 2024, the Tycoon Group introduced a new feature targeting Gmail users, allowing for bypassing two-factor authentication. This release includes a Gmail 'Display' login page and Google Captcha, broadening its potential target audience beyond Microsoft 365 users.
In a more recent update, the group introduced support for subscribers to collect Active Directory Federation Services (ADFS) cookies, specifically targeting organizations' authentication mechanisms utilizing ADFS.
Table of Contents
The Tycoon Phishing Kit Infection Chain
The attack chain sequence begins with a standard phishing campaign that exploits trusted domains and cloud-based services to obscure the true destination URL of the main phishing landing page. This strategy entails leveraging reputable online mailer and marketing services, newsletters, or document-sharing platforms as URL redirectors or hosts for decoy documents containing links to the final phishing page.
The redirection occurs upon clicking a link in the email, leading either to a decoy document with a link to the primary phishing page or directly to the main phishing landing page facilitated by a redirector.
The main phishing landing page comprises two primary components: an 'index.php' PHP script responsible for loading its secondary component, a '.JS' file prefixed with 'myscr.' The latter component's role is to generate the HTML code for the phishing page.
The Tycoon Phishing Campaign Checks if Victims Are Not Bots
The second component script employs various obfuscation techniques to elude bot crawlers and antispam engines. One such method entails a lengthy array of characters represented as decimal integers. Each integer undergoes conversion to characters and is then concatenated to form the HTML source code of the phishing page. Additionally, the script employs an obfuscation technique known as an 'opaque predicate,' introducing redundant code into the program flow to obscure the script's underlying logic.
Initially, the JavaScript conducts prefiltering using the CloudFlare Turnstile service to verify that the link is accessed by a human, distinguishing it from automated bot crawlers. Users of this Phishing-as-a-Service (PaaS) can activate this feature in the admin panel and provide CloudFlare keys associated with their accounts. This integration also furnishes additional metrics for the phisher through the CloudFlare dashboard.
Upon successful verification, the JavaScript loads a counterfeit sign-in page tailored to the phishing theme chosen by the subscriber. For instance, it may mimic a Microsoft 365 login page.
Tycoon Provides Its Clients with a Dashboard Control
The Tycoon Group PaaS offers an admin panel accessible to subscribers or renters, granting them the ability to log in, create, and monitor campaigns, as well as oversee phished credentials.
Users may have access to the panel for a set period, depending on their subscription level. Individuals can initiate new campaigns within the settings section, choosing the preferred phishing theme and adjusting various PaaS features. Additionally, subscribers can oversee phished credentials, encompassing usernames, passwords and session cookies. Furthermore, the service permits subscribers to forward phishing outcomes to their Telegram accounts.
Phishing Attacks are Becoming Easier to Execute via Phishing Kits Like Tycoon
The emergence of the Phishing-as-a-Service model, exemplified by entities like the Tycoon Group, has significantly lowered the barrier to entry for executing sophisticated phishing attacks, even for less experienced criminals. This accessibility is evident in the surge of phishing attacks utilizing such services, as noted by researchers. What sets the Tycoon Group apart is its incorporation of the WebSocket technology into the phishing page, enabling smoother data transmission between the browser and the attacker's server. Moreover, this feature simplifies campaign management and oversight of phished credentials for subscribed actors.
