Vulnerability Management, Endpoint/Device Security, Phishing

Tycoon 2FA phishing kit adds stealth, expands to mobile devices

mobile hacking, Phishing email, cyber criminals, hackers, phishing email to steal personal data, malware, infected email

(Adobe Stock)

The Tycoon 2FA phishing-as-a-service (PaaS) kit is using a trio of techniques that improves stealth, letting attackers expand to mobile environments since it was first discovered in 2023.

Trustwave researchers said in an April 10 blog post that attackers leveraging Tycoon 2FA tend to target Microsoft 365 and Gmail users.

The researchers added that the three techniques observed present problems for security teams in the following ways:

  • HTML-5-based visuals such as custom CATPCHA can mislead users and add legitimacy to phishing attempts.
  • Unicode and Proxy-based obfuscation can delay detection and make static analysis more difficult.
  • Anti-bugging behaviors may hide malicious activity from researchers and automated tools.

    • “Security teams should consider behavior-based monitoring, browser sandboxing, and a deeper inspection of JavaScript patterns to stay ahead of these tactics,” the Trustwave researchers wrote.

    Krishna Vishnubhotla, vice president of product strategy at Zimperium, added that PaaS platforms are pointedly lowering the cost-of-entry for new attackers, mainly through mobile devices. By offering ready-made phishing kits, these platforms remove the need for extensive technical skills or resources usually required for phishing attacks, said Vishnubhotla.

    “Attackers can launch sophisticated campaigns against businesses with minimal investment and effort, leveraging mobile devices' ubiquity and continual connectivity,” said Vishnubhotla. “This ease of access to advanced phishing tools, and the ability to target users on mobile devices, where security may be more lax, make it ever more convenient and cost-effective for nefarious actors to execute efficacious cybercrimes.”

    PhaaS platforms like Tycoon2FA are a shift from targeting credentials to bypassing authentication,” explained Ted Miracco, chief executive officer at Approov. Miracco said browser-based attacks can blur the lines between desktop and mobile exposure, expanding the attack surface.

    “Tycoon2FA is clearly not exclusively a web-only threat, as its tactics can also threaten mobile users due to the shared use of web-based vectors that span desktop and mobile environments,” said Miracco. “Though not mobile-native malware, Tycoon2FA can impact mobile users since malicious SVG attachments can be rendered in mobile mail clients, just as it would on a desktop. The mobile browser then executes the same obfuscated JavaScript used to redirect to fake login pages.”

    Related

    Google OAuth vulnerability exploited in advanced phishing attack

    BleepingComputer reports that Google was discovered by Ethereum Name Service lead developer Nick Johnson to have had an OAuth vulnerability leveraged to facilitate the delivery of a bogus email purporting to be a security alert from the company with a valid DomainKeys Identified Mail authentication key as part of a DKIM replay phishing intrusion.

    Related Events

    Get daily email updates

    SC Media's daily must-read of the most current and pressing daily news

    By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

    Related Terms

    Antivirus SoftwareBring Your Own Device (BYOD)Buffer OverflowBugDisassemblyEndpoint SecurityEphemeral PortExtranetFirmwareRegistry

    You can skip this ad in 5 seconds