European law enforcement agencies dismantle phishing platform
Tycoon2FA was among the world's largest phishing operations. It allowed criminals to gain undetected access to email accounts. It has now been shut down.
(Image: smolaw/Shutterstock.com)
An international law enforcement operation coordinated by Europol has taken the phishing platform Tycoon2FA out of action. 330 domains that formed the core infrastructure of the criminal service, including phishing sites and control panels, were shut down, according to a statement released by the European police authority. The operation was carried out by law enforcement agencies in Latvia, Lithuania, Portugal, Poland, Spain, and Great Britain, as well as private sector actors including Cloudflare, Coinbase, and Trend Micro. This was in close cooperation under the coordination of Europol's European Cybercrime Centre (EC3)).
Tycoon 2FA had been active since at least August 2023 and, according to Europol, was among the largest phishing operations worldwide. The platform was reportedly used by thousands of cybercriminals to bypass two-factor authentication (2FA) and gain undetected access to email and cloud-based services. "The platform generated tens of millions of phishing emails each month and facilitated unauthorised access to nearly 100 000 organisations globally, including schools, hospitals, and public institutions," Europol writes.
Low barrier to entry for cybercriminals
According to the tech portal Bleeping Computer, Tycoon2FA subscriptions were offered via the Telegram messenger for ten days of access for 120 US dollars. This significantly lowered the hurdle for less experienced criminals to carry out sophisticated attacks to bypass MFA on a large scale, the portal further states.
Videos by heise
"Tycoon2FA's platform enabled attackers to impersonate trusted brands by mimicking login pages for services such as Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail. It also allowed attackers to establish persistence and access sensitive information even after passwords were reset, provided active sessions and tokens were not explicitly revoked," Microsoft explained in a blog post on Wednesday. "This worked by intercepting session cookies generated during the authentication process while simultaneously capturing user credentials. The 2FA codes were then forwarded to the authentication service via Tycoon2FA's proxy servers."
The investigation began after Trend Micro provided information. Europol disseminated this information through its EC3 advisory groups and operational networks. This, in turn, enabled the development of a coordinated operational strategy, according to the European police authority. Later, Microsoft and Trend Micro worked closely with law enforcement agencies, providing technical expertise and infrastructure analysis.
(akn)
