A new phishing kit is targeting Gmail and Microsoft email accounts — and it can even bypass 2FA

A padlock resting on a keyboard.
(Image credit: Passwork)

A brand new phishing kit is gaining popularity in the underground community, researchers have claimed.

Tycoon 2FA does a good job at evading security analysts, while allowing threat actors to bypass even two-factor authentication (2FA), according to cybersecurity experts at Sekoia, who recently detailed the newest iteration of the Phishing-as-a-Service (PhaaS) solution.

As per the report, Tycoon 2FA was first spotted in mid-2023, but with the start of 2024, it’s gotten a major upgrade, with the tool using roughly 1,100 domains, and is being used in “thousands” of phishing attacks. 

Bypassing 2FA

To put things into perspective, the Bitcoin wallet linked to the operation has seen more than 500 transactions since August last year, when the PhaaS first launched. These transactions were around $120, the entry price for a 10-day phishing link.

By March this year, the operators raked in almost $400,000 worth of cryptos.

As for the upgrades, there are two crucial ones, Sekoia reports. The first one makes the tool harder to spot and analyze. With changes to the JavaScript and HTML code, changes in the order of resource retrieval, and better filtering, dissecting the service was a much bigger challenge. What’s more, all the Tor traffic and IP addresses are better identified, and bad traffic gets rejected depending on specific user-agent strings. 

The second one is the ability to bypass two-factor authentication. By using a reverse proxy server to host the phishing page, the attackers are able to intercept victim input, stealing session cookies and 2FA codes.

"Once the user completes the MFA challenge, and the authentication is successful, the server in the middle captures session cookies," Skoia said in its report. 

Multi-factor authentication has always been considered a great defense mechanism, but lately, threat actors have been getting better at working around it.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS