Phishing kit that bypasses MFA targets Gmail and Microsoft 365

Cybercriminals are using Tycoon 2FA to bypass 2FA in Microsoft 365 and Gmail software.

What happened?

The use of a new phishing-as-a-service (PhaaS) platform called 'Tycoon 2FA' is gaining popularity among cybercriminals targeting Microsoft 365 and Gmail accounts in an attempt to bypass two-factor authentication (2FA) protection. Discovered by Sekoia analysts during routine threat hunting in October 2023, the PhaaS kit has been active since at least August of that year, when it was offered through private Telegram channels by the Saad Tycoon group. Similarities with other adversary-in-the-middle platforms like Dadsec OTT suggest possible code reuse or developer collaboration between them. A newer version of Tycoon, released in 2024, is said to be more surreptitious than its predecessor, indicating ongoing efforts toward improvement. Currently utilizing over a thousand domains, this service has already been used over a thousand times for phishing attacks. 

Tycoon 2FA is a relatively new addition to a PhaaS market that offers cybercriminals choices. Notable platforms such as LabHost, Greatness, and Robin Banks are also capable of bypassing 2FA security measures.

Going deeper 

The Tycoon 2FA attacks follow a multistep process where the cybercriminal uses a reverse proxy server to host their phishing page. This enables them to steal session cookies and intercept any inputs from unsuspecting users, which are forwarded onto the authentic service. 

1. Distribution: Attackers distribute malicious links via emails or QR codes.
2. Filtering: A security challenge (Cloudflare Turnstile) weeds out bots, allowing only human interactions.
3. Email E=extraction: Background scripts extract the victim's email from the URL for personalized phishing.
4. Redirection: Users are quietly redirected closer to the fake login page.
5. Fake Login Page: A fake Microsoft login page steals credentials, utilizing WebSockets for data exfiltration.
6. 2FA mimicry: The kit simulates a 2FA challenge, intercepting tokens or responses to bypass security.
7. Legitimate-looking page: Victims are directed to a convincing page, hiding the success of the phishing attack.

What was said?

Sekoia explained to Bleeping Computer that "once the user completes the MFA challenge, and the authentication is successful, the server in the middle captures session cookies." By doing so, the cybercriminal can replay a user's session and evade multi-factor authentication (MFA) mechanisms. 

Sekoia reported that the latest version of the Tycoon 2FA phishing kit, released in 2024, introduced significant modifications that improved the phishing and evasion capabilities. These changes include “updates to the JavaScript and HTML code, alterations in the order of resource retrieval, and more extensive filtering to block traffic from bots and analytical tools.”

Sekoia also reported that the scale of operations is significant, as there's proof of a wide range of cybercriminals currently using Tycoon 2FA for phishing activities.

By the numbers 

• Bitcoin wallet linked to the operators has over 1,800 transactions since October 2019 and a significant increase from August 2023, coinciding with kit launch.
• More than 530 transactions exceeded $120, which is the cost of accessing a phishing link for 10 days.
• By mid-March 2024, the threat actors' Bitcoin wallet had received a total of $394,015.

In the know

Multifactor authentication (MFA) is a security measure requiring users to provide two or more forms of verification before accessing an account or system. MFA enhances security by adding an extra layer of protection beyond passwords, reducing the risk of unauthorized access to sensitive health information. 

While not explicitly mandated by the Health Insurance Portability and Accountability Act (HIPAA), implementing MFA is considered a best practice for safeguarding electronic protected health information (ePHI) and demonstrates a commitment to patient privacy and security. By requiring multiple forms of verification, MFA helps healthcare organizations mitigate risks, control access to patient records, and maintain compliance with HIPAA regulations.

See also: 

• Understanding and implementing HIPAA rules
• HIPAA Compliant Email: The Definitive Guide

Why it matters 

The discovery of the Tycoon 2FA phishing kit is another advance for cybercriminals. Using 2FA is widely accepted as an added layer of security, giving organizations confidence that their systems are protected from cyber threats. Cybercriminals are constantly advancing in their techniques for evading cybersecurity measures organizations implement to safeguard their data. The increasing popularity of the Tycoon 2FA phishing kit could mean 2FA is a false sense of security that is less effective than other safeguarding methods, leading organizations to rethink their security strategies. 

FAQs

How does MFA help mitigate risks in healthcare settings?

By requiring multiple forms of verification, MFA helps mitigate risks associated with unauthorized access, data breaches, and identity theft. It helps control access to patient records and other sensitive health data, ensuring that only authorized individuals can view or modify ePHI.

What are the consequences of cyberattacks on HIPAA compliance?

A cyberattack on a healthcare organization's systems poses severe consequences for HIPAA compliance, including: 

• breaches of protected health information (PHI), 
• violations of HIPAA's Security Rule, 
• loss of trust, 
• reputation damage, 
• financial costs for incident response and regulatory fines, 
• regulatory scrutiny and investigations, 
• operational disruption, and 
• legal liability. 

Such attacks can compromise patient data, lead to regulatory penalties, disrupt healthcare services, damage the organization's reputation, and result in legal action from affected individuals. 

See also: 

• Understanding HIPAA violations and breaches
• What are the consequences of not complying with HIPAA?