One of the most prolific phishing-as-a-service toolkits of all time was not widely used to send consumers phony unpaid toll texts or urgent account alert emails. Instead, Tycoon 2FA was primarily leveraged to target paid accounts associated with organizations.
Although financial services and healthcare companies have typically been prime targets for fraud attempts, cybercriminals appeared to deploy Tycoon 2FA more arbitrarily. According to The Hacker News, the tens of millions of phishing messages created with the platform led to breaches at over 100,000 organizations across industries, including schools and hospitals.
The worldwide phishing threat spawned by the toolkit prompted a coalition of public and private entities to band together and take down the service. This alliance included Europol and other law enforcement agencies, Microsoft, cybersecurity firms, and Coinbase. This effort ultimately resulted in the takedown of the 330 domains that formed the criminal network’s infrastructure.
“International, coordinated efforts to take down organized cybercrime rings, cybercrime-as-a-service networks, and phishing-as-a-service networks—like this one—are necessary,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “But sadly, these takedowns only result in short-term gains, as new networks and models quickly step in to replace the ones taken down.”
Streamlining Cybercrimes
Prior to the disruption, a monthly subscription to Tycoon 2FA could be purchased on social media platforms like Telegram for roughly $350. In return, users gained access to a dashboard where they could create and monitor phishing campaigns, along with templates and tools designed to streamline cybercrime.
As with many phishing attacks, these tools were used to craft messages impersonating widely used services like Outlook, SharePoint, and Gmail. The goal was to capture sensitive data such as login credentials or multi-factor authentication codes. Once stolen, the information was often transmitted to criminals in near real time.
A Massive Issue on Multiple Fronts
One of the most alarming aspects of phishing-as-a-service platforms is how they simplify the process for novice bad actors and dramatically expand the reach of their campaigns. These services are also highly customizable. Microsoft attributed much of Tycoon 2FA’s success to its ability to convincingly mimic legitimate authentication processes.
Even more concerning, Tycoon 2FA subscribers were able to engage in ATO jumping. After compromising an account, criminals could send phishing messages from that email address, making them appear to come from a trusted user.
This means a single phishing message can quickly spiral into a major problem for organizations on multiple fronts.
“Law enforcement is caught in a perpetual state of reaction when it comes to fighting cybercrime,” Goldberg said. “From a global perspective, U.S. consumers and business, which are typically the primary cybercrime targets, pay the price. In the case of Tycoon 2FA, the vast majority of compromised targets were in the U.S., followed by the United Kingdom and Canada.”
