Tycoon 2FA: Sneaky Phishing Attacks Targeting Microsoft 365 and Gmail Accounts
In the ever-changing landscape of cyberattacks, there’s always something new to watch out for.
Cyberthreats evolve almost daily. For several months now, a stealthy phishing kit called Tycoon 2FA has been making headlines. And with Cybersecurity Awareness Month coming up in October, it’s important to keep this threat top of mind.
This phishing-as-a-service (PhaaS) platform poses a significant threat to Microsoft 365 and Gmail users. You may have seen this as an increase in phishing emails with attachments that, if clicked, lead you to a phishing page. These look-alike phishing pages then ask you to enter your security or log-in credentials. It’s a sneaky, stealthy, and sophisticated attack.
Like anything else though – the more you know about it, the more aware you’ll be to these potential threats. Let’s dive into how these attacks work, their evolution, and what you can do to stay safe.
How Tycoon 2FA Works
Tycoon 2FA operates as a “man-in-the-middle” attack, primarily targeting Microsoft 365 and Gmail accounts. Its main goal is to harvest session cookies, which attackers then use to bypass multifactor authentication (MFA) during subsequent logins. In March 2024, the creators of Tycoon 2FA made it even sneakier. They updated it so that the code is scrambled, making it much harder for security systems to recognize and catch it. Additionally, the code changes every time it runs, which helps it avoid being detected by systems that look for specific patterns. This makes the phishing kit more difficult to spot and block. The group sells ready-to-use phishing pages for Microsoft 365 and Gmail via Telegram, with prices starting at $120 for 10 days of access, making it accessible even to less technically skilled attackers.
What An Attack Looks Like
While specific statistics for Tycoon2FA attacks aren’t readily available, it’s important to note that a significant portion of cyberattacks, including those involving phishing kits like Tycoon2FA, rely heavily on social engineering. In fact, 98% of all cyberattacks involve some form of social engineering. This broad category includes tactics like phishing, baiting, and pretexting, which are designed to trick individuals into revealing sensitive information or performing actions that compromise security.
Given this high percentage, it’s reasonable to infer that a substantial number of Tycoon2FA attacks also utilize social engineering techniques to deceive users and bypass multi-factor authentication.
So, what does a social engineering phishing attack look like?
Social engineering is essentially a manipulation technique that tricks individuals into divulging sensitive information or performing actions that compromise security. A social engineering phishing attack could include (but is not limited to) any of the following characteristics or components:
- Unexpected Messages: Be cautious of messages that arrive unexpectedly, especially if they are from unknown senders or about unusual topics.
- Requests for Sensitive Information: Legitimate organizations rarely ask for sensitive information like passwords or financial details via email or phone.
- Urgency or Pressure: Social engineers often create a sense of urgency to prompt quick action without thorough thinking.
- Unusual Attachments or Links: Be wary of unexpected attachments or links, especially if they come from unknown sources.
- Generic Greetings: Phishing emails often use generic greetings like “Dear Customer” instead of your name.
- Poor Grammar and Spelling: Many social engineering attempts contain spelling and grammatical errors3.
- Requests for Immediate Assistance: Be cautious if someone asks for immediate help, especially if it involves financial transactions or sensitive information.
- Too Good to Be True Offers: Offers that seem too good to be true often are. Be skeptical of unexpected prizes or deals.
When a user falls victim to a Tycoon 2FA attack, it typically begins with receiving a seemingly legitimate email or message that prompts them to log into their Microsoft 365 or Gmail account. The user is directed to a phishing page (fake login page) that closely mimics the real login page. Unaware of the deception, the user enters their credentials and completes the multifactor authentication (MFA) process. However, instead of logging into their actual account, the session cookies are intercepted by the attackers. These stolen cookies allow the attackers to bypass MFA and gain unauthorized access to the user’s account. The user might not immediately realize anything is wrong, as the phishing page often redirects them to the legitimate site after capturing their information, making the attack even more stealthy and difficult to detect.
How to Protect Yourself
To protect yourself from Tycoon 2FA attacks, it’s crucial to adopt several security measures. Staying vigilant is the name of the game.
1.) Be vigilant with emails and links, verifying the sender’s address and avoiding clicking on suspicious links or downloading attachments from unknown sources. In addition, review all URLS closely – if they look suspicious, do not enter your credentials.
Example:
Real URL: https://accounts.google.com/ServiceLogin
Phishing URL: https://accounts.google.com-service-login.com/ServiceLogin
In the phishing URL, the domain looks very similar to the real one but includes extra elements like “google.com-service-login.com” to trick users into thinking it’s legitimate. Always double-check the URL for subtle differences and ensure it matches the official domain exactly.
3.) Utilize anti-phishing tools and email protection services to detect and block phishing attempts.
4.) Regularly update your software, including operating systems, browsers, and security applications, to patch vulnerabilities.
5.) Educate yourself and your teams about recognizing phishing tactics and stay informed about the latest threats.
6.) Finally, monitor your account activity for any unauthorized access and report suspicious activities immediately.
By implementing these practices or working with an IT partner like Endpoint Utility Corp to implement and manage these for you, you can significantly reduce the risk of falling victim to Tycoon 2FA and similar phishing attacks. Cyberthreats are constantly evolving but staying vigilant and aware is key. If you have any questions or concerns regarding your company’s IT systems and cybersecurity, please reach out to us. We are here to help.