One of the most prolific phishing-as-a-service toolkits ever, Tycoon 2FA, was not widely used to send fraudulent unpaid toll messages or urgent account alert emails to consumers. Rather, it primarily targeted paid accounts associated with organizations.
Unlike financial services and healthcare companies that have traditionally been prime targets for fraud attempts, cybercriminals appeared to use Tycoon 2FA more indiscriminately. According to The Hacker News, the tens of millions of phishing messages created using this platform led to security breaches at over 100,000 organizations across various industries, including schools and hospitals.
The global phishing threat posed by the toolkit prompted a coalition of public and private entities to coordinate efforts in shutting it down. This alliance included Europol and other law enforcement agencies, Microsoft, cybersecurity firms, and Coinbase. The effort ultimately resulted in the takedown of 330 domains that formed the criminal network’s infrastructure.
“International, coordinated efforts to dismantle organized cybercrime rings, cybercrime-as-a-service networks, and phishing-as-a-service networks are necessary,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “Sadly, these takedowns only offer temporary relief, as new networks and models emerge almost immediately to replace the ones taken down.”
Streamlining Cybercrimes
Prior to its disruption, a monthly subscription to Tycoon 2FA could be purchased on platforms like Telegram for approximately $350. This provided users with access to a dashboard where they could create and monitor phishing campaigns, along with templates and tools designed to streamline the execution of cybercrime.
Like many phishing attacks, these tools were used to craft messages mimicking widely used services such as Outlook, SharePoint, and Gmail. The aim was to capture sensitive data like login credentials or multi-factor authentication codes. Once stolen, this information was often relayed to criminals in near real-time.
A Massive Issue on Multiple Fronts
One of the most alarming aspects of phishing-as-a-service platforms is how they streamline the process for novice bad actors and significantly expand their reach and effectiveness. These services are also highly customizable, as evidenced by Microsoft attributing much of Tycoon 2FA’s success to its ability to convincingly mimic legitimate authentication processes.
Moreover, Tycoon 2FA subscribers were able to engage in ATO jumping. After compromising an account, criminals could send phishing messages from that email address, making them appear to come from a trusted user.
This means a single phishing message can quickly escalate into a major issue for organizations on multiple fronts.
“Law enforcement is perpetually reactive when it comes to combating cybercrime,” Goldberg stated. “From a global perspective, U.S. consumers and businesses—typically the primary targets of cybercrime—bear the brunt of these threats. In the case of Tycoon 2FA, the majority of compromised entities were based in the United States, followed by the United Kingdom and Canada.”