Latest news with #Tycoon2FA
Arabian Post
13-06-2025
- Arabian Post
Phishing-as-a-Service PhaaS Surge Elevates AiTM Threats
A surge in Adversary‑in‑the‑Middle phishing attacks exploiting Phishing‑as‑a‑Service frameworks has been recorded in 2025, allowing cybercriminals to systematically bypass multi‑factor authentication and harvest corporate credentials at industrial scale. Researchers from Sekoia and Barracuda warn that tools like Tycoon 2FA, EvilProxy and Sneaky 2FA are being rapidly refined, embedding advanced evasion techniques and automation that make detection increasingly challenging. AiTM phishing campaigns leverage reverse proxies that intercept login credentials and session cookies in real time. When users enter their password and MFA code, a proxy server relays the information to the legitimate service—such as Microsoft 365 or Google—capturing session tokens in the process. Attackers then replay those tokens to impersonate legitimate users without triggering MFA prompts. Between January and February, over one million PhaaS‑powered AiTM phishing attempts were blocked globally, with Tycoon 2FA accounting for nearly 90 % of the incidents. EvilProxy and Sneaky 2FA contributed around 8 % and 3 % respectively. Tycoon 2FA has evolved markedly: its credential‑stealing scripts now employ Caesar‑cipher encryption, invisible Hangul filler characters, AES encryption, and browser fingerprinting to tailor the attack and evade detection. ADVERTISEMENT EvilProxy, in contrast, offers ease of deployment, enabling even actors with limited expertise to launch fully automated AiTM campaigns against cloud platforms by mimicking legitimate page source code and proxying credentials live. Sneaky 2FA, meanwhile, uses Telegram‑based bots and clever URL structures to pre‑populate phishing forms with user email addresses, redirect non‑target users to innocuous sites, and selectively deliver phishing pages only to likely victims. It also embeds tracking codes that reinforce its selective targeting. Darktrace analysts cite real‑world incidents where attackers abused legitimate platforms—such as Milanote—to deliver Tycoon 2FA phishing lures. This misuse of trusted resources bypasses traditional defences like email gateways, which often cannot distinguish between benign and malicious content. SC Media likewise highlights Sneaky Log's Messenger‑driven delivery mechanism and anti‑sandbox filters—including blurred backgrounds and redirects to Wikipedia—making detection by anti‑phishing tools very difficult. Microsoft's threat intelligence team reports other AiTM vectors such as OAuth‑consent and device‑code phishing. While these attacks exploit legitimate login flows—often via QR codes or OAuth prompts—they similarly bypass MFA using session token theft and abuse of authentication flows. Threat actors ultimately deploy AiTM access to conduct Business Email Compromise, financial scams, internal reconnaissance, or onward phishing. They frequently install persistent controls—including email forwarding rules and additional MFA factors—to prolong intrusions. Defensive responses emphasise layered security. Organisations are urged to deploy AI‑powered email defences, anomaly detection within identity logs, real‑time URL scanning, phishing‑resistant credentials like FIDO2 or passkeys, and contextual Conditional‑Access policies based on location or device status. Endpoint‑level inspection, token anomaly monitoring, and pre‑click URL analysis—particularly to bypass proxies like Cloudflare Turnstile—are also advised. Academic research echoes the urgency for adaptive defences: LLM‑based multi‑agent systems like MultiPhishGuard and fuzzy‑logic frameworks offer promising ways to detect adversarial phishing content while maintaining transparency and low false‑positive rates.
Techday NZ
13-06-2025
- Business
- Techday NZ
Phishing-as-a-Service drives surge in cybercrime for 2025
Barracuda Networks has released new details on the rising prevalence of Phishing-as-a-Service (PhaaS) attacks, the technologies underpinning them, and trends shaping cybercrime in 2025. The company's analysis found that an estimated 60% to 70% of all phishing attacks observed since the beginning of 2025 have been delivered using PhaaS models. Of these, the Tycoon 2FA phishing kit emerged as the most popular, responsible for 76% of the detected incidents. EvilProxy accounted for 8%, while Mamba 2FA and Sneaky 2FA together made up 6%. The remaining 10% consisted of other kits such as LogoKit, CoGUI and FlowerStorm. Understanding PhaaS Phishing-as-a-Service is a model in which individuals or groups provide ready-made phishing tools, infrastructure and support to customers for a fee, often via subscription services or one-off payments. This business-like approach means non-technical users can easily launch phishing campaigns without building infrastructure or writing code. According to the explainer released by Barracuda, "Phishing-as-a-Service, or PhaaS, is a cybercrime model where threat actors offer phishing tools, kits and services to other attackers, often via subscription or one-time payment. It lowers the barrier to entry for phishing attacks by providing ready-made templates, hosting, automation and even customer support. PhaaS enables non-technical users to launch sophisticated phishing campaigns, contributing to the rise in phishing incidents globally." Attackers typically access these services through forums, darknet markets, or messaging channels such as Telegram. The platforms provide templates for impersonating well-known brands and offer means to collect sensitive information entered by victims, which attackers can then use for financial gain or identity theft. The explainer notes, "Attackers sign up for this service — often through Darknet or Telegram channels — and obtain access to their PhaaS infrastructure. The service provides ready-made fake emails and websites that look just like real companies. The scammer can customise messages to make them convincing. Then, these fake emails or websites are sent out to lots of people. When someone falls for the trick and enters their private info, the scammer collects it and can steal money or identities." Barriers lowered PhaaS is popular with users seeking to commit credential theft but lacking the skills to develop phishing infrastructure from scratch. The systems are marketed not only at experienced cybercriminals, but also at individuals with limited technical knowledge, as the ease of use and available support bring phishing within reach of a broader group of criminal actors. "Attackers who want to do credential theft but don't know how to build the phishing emails, infrastructure to host fake Microsoft/Google login pages, steal multifactor-authentication (MFA) tokens and send them to a command-and-control server. Sometimes even people who aren't very tech-savvy can use PhaaS because it makes it easy for anyone to launch scams," the explainer says. PhaaS allows for rapid deployment of attacks, high levels of automation and large-scale targeting, including of small businesses and individual consumers. Typical victims range from employees at companies targeted for access to internal systems, to consumers receiving emails purporting to be from banks or popular online services. "It saves time and effort — they don't have to create complicated scam setups from scratch. It's often cheap or subscription-based, so it's easy to access. It's much easier now to launch a sophisticated phishing campaign targeting thousands of people with just a few clicks or minimal effort, compared to traditional phishing attacks. These modern attacks are highly advanced — they use clever methods to avoid detection and often rely on legitimate but compromised websites and platforms." Market forces PhaaS providers continually update their kits to bypass security measures, and competition between providers is fierce. Kits compete on factors such as price, accessibility, customer support, regular updates, and their ability to avoid detection. Subscription models and customer service functions have become normal, mirroring the software industry. "Kits that are cheaper or easier to get tend to attract more users. Some offer subscriptions, while others sell one-time licenses. The price and payment options matter a lot. Updates: Some PhaaS providers offer customer support and regularly update their kits to bypass new security measures. Kits that stay updated and provide help keep their users loyal. Success rates: If a kit is known for helping scammers avoid detection and successfully steal information, it gains popularity over others." Emerging kits and techniques Barracuda identified several new PhaaS kits, such as Darcula, which merges phishing with malware delivery and tends to target mobile users, and Morphing Meerkat, noted for altering its appearance to bypass email controllers. Other kits like CoGUI have been regionally tailored, such as those targeting Japanese organisations, and Sniper Dz is highlighted for mimicking the login pages of popular services. According to the explainer, "What makes these kits particularly dangerous is that they constantly evolve — updating their methods to avoid being detected by security systems. This ongoing development helps scammers stay one step ahead and makes it harder to shut them down." Detection strategies avoided PhaaS operators and their customers deploy techniques including encrypting malicious code, using code obfuscation, leveraging legitimate but compromised websites, and actively detecting when they are being monitored by security software or research sandboxes. In such cases, the kits will direct users to bona fide websites to avoid raising suspicion. The use of encryption and the adoption of real, trusted sites for hosting phishing content make detecting such threats more challenging for security tools, which traditionally focus on signature-based or heuristic detections of uncommon domains or content. Despite ongoing efforts by security professionals and law enforcement, the widespread distribution of PhaaS services and kits, international hosting, and frequent method changes continue to pose challenges for effective mitigation and takedown of phishing operations.
Forbes
13-04-2025
- Forbes
As Gmail And Microsoft 2FA Security Bypassed — Do This One Thing Now
Enable passkeys as 2FA bypass attacks confirmed. I'm sorry to have to tell you this, but if you didn't already realize, you are under attack. No matter the operating system you use, the applications you rely upon or the faith you have in Big Tech to protect you, attackers are coming for your accounts and your data. The higher the profile of those accounts, the more valuable they are and the more hacking scrutiny they are under. Which is why we see security warnings involving such things as Apple ID attacks, X social media data leaks, and both Android and iPhone smartphone FBI defense advice. It is, however, Gmail and Microsoft that are most valued by hackers for the data that a successful account hack can expose. News of the evolution of an already perilous threat that can bypass 2FA protections that both Google and Microsoft have in place is, therefore, naturally of huge concern. Here's what you need to know and what both tech giants say you must do right now. Tycoon 2FA is not a new threat, far from it, in fact. As I reported March 26, 2024, the adversary-in-the-middle attack kit first came to the attention of threat intelligence experts in 2023. In March 2024, however, the criminal developers behind it turned the threat dial up a notch or two by releasing an update that specifically targeted Microsoft 365 and Gmail account holders and employed advanced obfuscation and anti-detection capabilities. Those attackers have, it seems, now turned the dial to 11. New intelligence from security researchers at Trustwave has revealed even more sophisticated evasion techniques being deployed against Gmail and Microsoft users in the latest 2025 attacks. According to the new report's authors, Trustwave's Phil Hay and Rodel Mendrez, these include 'using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection.' While conceding that none of these techniques are groundbreaking, individually at least, combining them does pose a new threat that makes detection and response even more difficult. Custom CAPTCHA visuals in HTMLK5, for example, can add legitimacy to phishing attempts, Unicode and Proxy-based obfuscation can delay detection, and anti-debugging behaviors hide malicious activity from automated tools. Trustwave recommended that security teams should 'consider behavior-based monitoring, browser sandboxing, and a deeper inspection of JavaScript patterns' in order to stay one step ahead of the Tycoon 2FA attackers. Google and Microsoft, however, have some more straightforward advice for ordinary users when it comes to protecting themselves and their valuable accounts from the 2FA bypass hackers. The simple truth is that, from the end user defensive posture perspective, the mitigation advice when it comes to Tycoon 2FA attacks is the same now as it was in 2024, namely, use passkeys. A Google spokesperson said that 'passkeys substantially reduce the impact of phishing and other social engineering attacks. Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.' Meanwhile, a Microsoft spokesperson said, 'As a security best practice, we encourage customers to always practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. In addition, we recommend switching to Passkeys wherever possible and using authentication apps such as Microsoft Authenticator, which warn users about potential phishing attempts.' So, there you have it: use passkeys to protect your Gmail and Microsoft accounts, not only against this 2FA bypass attack but also against other potential threats. What are you waiting for, do it now.
