Threat actors use Tycoon 2FA kits to steal your data via fake login pages

The new PAAS platform targets Microsoft 365 and Gmail accounts

Reading time icon 2 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

A robot using Tycoon 2FA to bypass a laptop

Hackers use the phishing-as-a-service (PAAS) platform known as Tycoon 2FA to target Microsoft 365 and Gmail accounts. Their method bypasses two-factor authentication (2FA) systems. Also, the PAAS tool is similar to other Adversary-in-The-Middle (AiTM) phishing platforms such as Dadsec OTT. Thus, cyber security specialists believe that cybercriminals reuse the code.

The Tycoon 2FA quickly became one of the most widespread AiTM phishing kits. As a result, more than a thousand domains are using it. Unfortunately, cybercriminals worked fast and updated their tool to a new version that enhances its obfuscation and anti-detection capabilities. Also, they added a feature that changes network traffic patterns.

How do the Tycoon 2FA attacks work?

Threat actors who use Tycoon 2FA send fake emails with embedded URLs or QR codes. By accessing them, you will get to a security challenge. After completion, they will extract your email address from the URL. Then, you will be redirected to a fake login page. Once you log in, you will encounter a fake two-factor authentication. From there, the hackers will get access to bypass security measures and steal your data. In the end, you will get to the official Microsoft site.

Unfortunately, the alleged developer of the Tycoon 2FA kit sells ready-to-use Microsoft 365 and Gmail phishing pages starting at $120 for ten days. However, the payment is subject to change based on the top-level domain. Also, according to Sekoia’s analysis, more than 530 crypto transactions covered over $120. On top of that, more threat actors are using the tool due to its low price.

Last but not least, hackers are using a newer version of Tycoon 2FA to trick you into stealing your login information. Then, they gain access to use it at will or to sell it. The tool is cheap, and many wrongdoers are using it. On top of that, the alleged developer sells phishing pages with different top-level domains. The whole stealing process starts with a fake email. Thus, always verify the source and never open or download files from unknown people. In addition, for your safety, check the URL of the web pages you visit, especially if you are in a hurry.

What are your thoughts? Do you ever check the source of your emails? Let us know in the comments.

More about the topics: Cybersecurity, Phishing, security threats

User forum

0 messages