Bypass Pesky MFA for Only $15 a Day

12415386683?profile=RESIZE_400xPhishing-as-a-service, or PhaaS, is a cyber threat subscription service, much like any number of other “as a service” types you may be familiar with, such as ransomware-as-a-service.  One of the noted early pioneers of this model is BulletProofLink.  This operation was taken down by Malaysian law enforcement in November of last year in collaboration with the Australian Federal Police and the FBI. 

The general ideal of phishing-as-a-service is that service providers are offering ready-to-use phishing templates to their customers.  These templates can mimic the login pages of a variety of services like credit cards, shipping providers, banks, or other services like Microsoft 365 or Gmail.  As we will see shortly with Tycoon, efforts are also being made to bypass multifactor authentication.

From there, depending on the situation these templates can be deployed in the typical ways one might expect from phishing campaigns like social engineering, spam campaigns, etc.  In addition to these templates, “phishing kits” will often also include fake website templates, lists of potential targets, detailed instructions for conducting attacks, and perhaps even customer support.

As is the case with other “as a service” threats, phishing-as-a-service makes it possible for threat actors with fewer technical skills to pursue phishing campaigns without needing to create their own templates or even maintain an infrastructure.  This kind of service can be purchased for as little as $15 dollars a day or even for a $40 flat fee.  As far as stolen data is concerned, it is also not uncommon for service providers to engage in double theft, which is to say that while stolen data is sent to customers, providers can also keep a copy for their own use.

In October of last year, Sekoia researchers uncovered a new phishing kit and were able to link it to the Tycoon phishing-as-a-service platform, which has been active since at least August.  A newer version has since been seen as of February of this year, with improvements to obfuscation, anti-detection capabilities, and even changes in network traffic patterns.

The Tycoon phishing kit shares similarities with a host of other phishing kits, but the Dadsec OTT phishing kit which is operated by a threat actor known as Storm-1575 appears strikingly similar.  Both Dadsec and Tycoon have administration panels that are almost identical in content and design.  Both kits also operate similarly in the sense that they both challenge users with Cloudflare Turnstile, which is a CAPCHA alternative.  Further, both kits also contain some of the same text messages amongst their pages.  With all of that pointed out, it is worth mentioning that the MFA bypass techniques between the two kits are different.

12415386870?profile=RESIZE_710x

(Source: Sekoia)

The threat actor who claims to be the developer of the kit sells ready-to-use phishing kits for Microsoft 365 and Gmail on Telegram.  Services start at $120 dollars, and prices increase depending on the top-level domain used for pages.  Transactions linked to the operator’s Bitcoin wallet indicate that nearly $400,000 worth of payments had taken place.

Attacks using the Tycoon 2FA kit occur in 7 stages.  First, the customer will distribute their phishing pages using redirections from URLs and QR codes.  These can be embedded into emails.  From there, the user who clicked the phishing URL is then challenged with Cloudflare Turnstile in order to avoid unwanted traffic.  Then, a couple of redirections occur which result in an email address being extracted from the URL if there is one, and eventually the user lands on a fake authentication page.

12415386468?profile=RESIZE_710x

(Source: Sekoia)

The authentication page will contain obfuscated code that serves several purposes such as fingerprinting the user’s web browser, initiating a web socket to the command server and establishing communications, and capturing and exfiltrating the user’s input.  At this point, more obfuscated Javascript is downloaded to perform the MFA relay, which occurs by relaying user data through proxy servers to legitimate services, capturing the results, and relaying information back to the user.  A final redirection is made to what appears to often be a variant of a “not found” webpage to obscure the fact that an attack is taking place.

In summary, we’ve given a bit of an overview on phishing-as-a-service.  It is a subscription model for cyber threats not unlike other “as a service” threats, and customers are able to obtain ready-to-use phishing templates, which allows those without many technical skills the ability to perform phishing attacks.

From there, we went over some details on Tycoon 2FA.  It is a relatively new phishing kit that was discovered in October 2023 by Sekoia researchers, and it has a number of similarities to other phishing kits, Dadsec in particular.  The kit performs a multistage process in order to capture and harvest user data.  Tycoon in particular appears to be mostly focused on providing phishing kits for Microsoft 365 and Gmail.

 

[1]: https://thehackernews.com/2023/11/major-phishing-as-service-syndicate.html

[2]: https://www.trendmicro.com/en_se/ciso/23/c/phishing-as-a-service-phaas.html

[3]: https://heimdalsecurity.com/blog/what-is-phishing-as-a-service-phaas/

[4]: https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/

[5]: https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/#6314a596-74ca-4a78-b033-264ac4b211a1

 

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com             

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989  

 

 

 

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!