Phishing Attacks Available to More Non-Technical Actors as MFA Bypass Kits Surface

by | Apr 2, 2024

In the wake of ransomware-as-a-service becoming a huge hit with criminals, more elements of cyber crime are now shifting to a similar affiliate model. Researchers with Sekoia have uncovered a particularly troubling service that assists with phishing attacks, going so far as to offer MFA bypass capability for Microsoft and Gmail authentication.

The approach still requires a victim to click on a phishing link or scan a QR code and then be taken in by a fake mock-up of a login page, but once their credentials are entered the MFA bypass allows attackers to maintain access to their account even if they change their password. The service has been finding its customers via private Telegram channels and appears to have been facilitating phishing attacks since at least October 2023.

Phishing attacks likely to ramp up as services become more sophisticated

The MFA bypass not only makes it easier for phishing attacks to ensnare a victim, it also allows the attacker to capture session cookies and use them to repeat the session to get back into the account. That means that a victim might not regain control of their account by changing their password.

A group called Tycoon is offering the MFA bypass tool, and it appears to be a popular option selling at $120 to $320 depending on the length of time the client wants to access it. This subscription also provides email templates for use in phishing attacks. This provides a potent set of abilities to would-be criminals that only have very minimal technical knowledge and would likely be unable to pull off phishing attacks on their own.

From patterns of use observed by the researchers, most of Tycoon’s clients send large volumes of emails to known addresses at target organizations (with a particular focus on accounts that might provide access to payroll or company finances). The URLs that Tycoon uses to host the phishing pages are very obvious fakes, but these phishing attacks are likely targeting mobile phone users for whom the URL might not be readily visible.

The report provides much more detail on how the MFA bypass compromises Microsoft accounts, but does mention that Gmail is also vulnerable. At minimum, Tycoon seems to have hundreds of active customers at present based on activity to a crypto wallet linked to the outfit.

MFA bypass service supported by over 1,100 attack domains

Though Tycoon does not appear to have many convincing URLs, they do seem to have a lot to cycle through with at least 1,100 spotted by the researchers. That, along with other added features that were just introduced in the past few weeks, makes it difficult for automated defense systems to flag the malicious URLs before phishing attacks make it into inboxes.

The MFA bypass feature may have been built off of a prior phishing kit called “Dadsec” that saw its source code leaked last year. Tycoon may have either built off that leak or obtained the code as a prior client of the service, retaining its administration panel but adding its own more powerful twists.

These phishing kits do not require anything new in the sense of preparing employees for potential attacks; following good cybersecurity hygiene will still keep people out of their traps. However, they are very likely to up the compromise numbers on the subset of employees that simply do not respond to phishing training and are prone to get taken in by malicious links and attachments. The big danger in this scenario is that the MFA bypass neutralizes what should have been the failsafe when these employees are tricked. At minimum, the takeaway from this incident is that 2FA is merely another obstacle for attackers to overcome, not a guarantee of account safety.

Recent Posts

How can we help?

9 + 13 =

× How can I help you?