This article explores the Tycoon 2FA (Two-Factor Authentication) phishing-as-a-service platform, detailing its operations and infrastructure through phishing analysis. It emphasizes the techniques used to analyze phishing attacks, including dynamic and static analyses, as well as how to identify related domains through advanced tools like Validin. The article highlights the malicious nature of Tycoon 2FA in its exploitation of OAuth mechanisms and showcases various indicators of compromise tied to this phishing campaign. Affected: Phishing targets, online platforms, two-factor authentication systems
Keypoints :
- Tycoon 2FA is a Phishing-as-a-Service platform targeting two-factor authentication systems.
- The analysis utilizes dynamic and static methods to understand phishing techniques.
- Base64 encoding and JavaScript decryption play crucial roles in the Tycoon 2FA approach.
- Validin is employed to uncover additional domains associated with Tycoon 2FA.
- Over 800 domains linked to Tycoon 2FA’s process were identified through automated scripts.
- This campaign demonstrates a sophisticated phishing operation leveraging outdated security practices.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Usage of standard protocols like HTTP/HTTPS for command and control.
- T1140 – Deobfuscate/Decode Files or Information: Decoding Base64 encoded data in phishing scripts.
- T1059.001 – Command and Scripting Interpreter: Use of JavaScript to automate user redirections and set malicious links.
- T1083 – File and Directory Discovery: Identification and access to res444.php potentially revealing other phishing infrastructure.
Indicator of Compromise :
- [Domain] disruptgive[.]com
- [URL] https://mvz.nvkhytoypg[.]ru/9SIt8c/
- [Domain] kristinachildress[.]com
- [Domain] cargoallrisk[.]co[.]uk
- [Domain] nudelaw[.]com
Full Story: https://www.validin.com/blog/tycoon_2fa_analyzing_and_hunting_phishing-as-a-service_domains/