May 13 2024

Tycoon 2FA Attacking Microsoft 365 AND Google Users To Bypass MFA

Category: 2FAdisc7 @ 8:22 am

Tycoon 2FA, a recently emerged Phishing-as-a-Service (PhaaS) platform, targets Microsoft 365 and Gmail accounts, which leverage an Adversary-in-the-Middle (AitM) technique to steal user session cookies, bypassing multi-factor authentication (MFA) protections. 

By acting as an intermediary between the user and the legitimate login page, Tycoon 2FA captures cookies that grant attackers unauthorized access to compromised accounts and cloud services, even if additional security measures are implemented. 

The Tycoon 2FA phishing kit received an update in March 2024, specifically designed to bypass security defenses, and the update enhanced the kit’s evasion capabilities through obfuscated JavaScript and HTML code, making the code unreadable, hindering analysis.

Tycoon 2FA to facilitate MFA token theft and bypass. 

On Telegram, it sells pre-made phishing pages targeting Microsoft 365 and Gmail credentials, which lowers the technical barrier for attackers by offering easy-to-use templates. 

Proofpoint TAP Dashboard campaign snapshot from December campaigns. 

The attack works through a reverse proxy, capturing login credentials and relaying them to the real service to bypass the login page, as the attackers steal the session cookies returned during successful logins, granting unauthorized access even with MFA enabled. 

It facilitates credential theft by bypassing multi-factor authentication (MFA), and attackers use various lures such as emails with fake authentication links, voicemail-themed threats, and PDFs with QR codes leading to phishing pages. 

QR code and voicemail lure examples for the Tycoon 2FA threats that were seen in late 2023. 

The pages often include CAPTCHAs to appear legitimate and steal login credentials and MFA tokens. Security researchers at Proofpoint identified rules to detect Tycoon landing pages based on these tactics. 

AI-powered behavioral analytics and a URL sandbox are used to identify and block malicious landing pages and phishing activity associated with Tycoon 2FA and similar threats that are achieved by combining threat intelligence with machine learning to recognize suspicious behaviors. 

Global threat intelligence feeds give information about bad infrastructure, which helps defenders stop known and new threats before they happen by making it easier to find them, fix problems, and manage human risk when it comes to new phishing techniques.

The Beginner’s Guide to Cybersecurity: Master the Art of Online Safety – From Passwords to Privacy, Everything You Need to Know for a Secure Digital

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: 2FA Attacking

Apr 06 2023

Hackers use Rilide browser extension to bypass 2FA, steal crypto

Category: 2FA,Crypto,Information SecurityDISC @ 12:45 pm
Hackers use Rilide browser extension to bypass 2FA, steal crypto
Security researchers discovered a new malicious browser extension called Rilide, that targets Chromium-based products like Google Chrome, Brave, Opera, and Microsoft Edge.

The malware is designed to monitor browser activity, take screenshots, and steal cryptocurrency through scripts injected in web pages.

Researchers at Trustwave SpiderLabs found that Rilide mimicked benign Google Drive extensions to hide in plain sight while abusing built-in Chrome functionalities.

The cybersecurity company detected two separate campaigns that distributed Rilide. One was using Google Ads and Aurora Stealer to load the extension using a Rust loader. The other one distributed the malicious extension using the Ekipa remote access trojan (RAT).

Two campaigns pushing Rilide
Two campaigns pushing Rilide (Trustwave)

While the origin of the malware is unknown, Trustwave reports that it has overlaps with similar extensions sold to cybercriminals. At the same time, portions of its code were recently leaked on an underground forum due to a dispute between cybercriminals over unresolved payment.

A parasite in the browser

Rilide’s loader modifies the web browser shortcut files to automate the execution of the malicious extension that is dropped on the compromised system.

Malicious extension on Edge
Malicious extension on Edge (Trustwave)

If there’s a match, the extension loads additional scripts injected into the webpage to steal from the victim information related to cryptocurrencies, email account credentials, etc.

The extension also disables ‘Content Security Policy,’ a security feature designed to protect against cross-site scripting (XSS) attacks, to freely load external resources that the browser would normally block.

In addition to the above, the extension regularly exfiltrates browsing history and can also capture screenshots and send them to the C2.

Capabilities graph
Rilide’s capabilities graph (Trustwave)

Bypassing two-factor authentication

An interesting feature in Rilide is its 2FA-bypassing system, which uses forged dialogs to deceive victims into entering their temporary codes.

The system is activated when the victim initiates a cryptocurrency withdrawal request to an exchange service that Rilide targets. The malware jumps in at the right moment to inject the script in the background and process the request automatically.

Once the user enters their code on the fake dialog, Rilide uses it to complete the withdrawal process to the threat actor’s wallet address.

“Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser,” explains Turstwave in the report.

“The withdrawal request email is replaced with a device authorization request tricking the user into providing the authorization code.”

Replacing the email while extracting the 2FA code
Replacing the legitimate email (right) while extracting the 2FA code (Trustwave)

Rilide showcases the growing sophistication of malicious browser extensions that now come with live monitoring and automated money-stealing systems.

While the roll-out of Manifest v3 on all Chromium-based browsers will improve resistance against malicious extensions, Trustwave comments that it won’t eliminate the problem.


InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: bypass 2FA, Rilide browser extension

Nov 21 2022

How social media scammers buy time to steal your 2FA codes

Category: 2FA,Access ControlDISC @ 12:41 pm

Phishing scams that try to trick you into putting your real password into a fake site have been around for decades.

As regular Naked Security readers will know, precautions such as using a password manager and turning on two-factor authentication (2FA) can help to protect you against phishing mishaps, because:

  • Password managers associate usernames and passwords with specific web pages. This makes it hard for password managers to betray you to bogus websites by mistake, because they can’t put in anything for you automatically if they’re faced with a website they’ve never seen before. Even if the fake site is a pixel-perfect copy of the original, with a server name that’s close enough be almost indistinguishable to the human eye, the password manager won’t be fooled because it’s typically looking out for the URL, the whole URL, and nothing but the URL.
  • With 2FA turned on, your password alone is usually not enough to log in. The codes used by 2FA system typically work once only, whether they’re sent to your phone via SMS, generated by a mobile app, or computed by a secure hardware dongle or keyfob that you carry separately from your computer. Knowing (or stealing, buying or guessing) only your password is no longer enough for a cybercriminal to falsely “prove” they are you.

Unfortunately, these precautions can’t immunise you completely against phishing attacks, and cybercriminals are getting better and better at tricking innocent users into handing over both their passwords and their 2FA codes at the same time, as part of the same attack…

…at which point the crooks immediately try to use the combination of username + password + one-time code they just got hold of, in the hope of logging in quickly enough to get into your account before you realise there’s anything phishy going on.

Even worse, the crooks will often aim to create what we like to call a “soft dismount”, meaning that they create a believable visual conclusion to their phishing expedition.

This often makes it look as though the activity that you just “approved” by entering your password and 2FA code (such as contesting a complaint or cancelling an order) has completed correctly, and therefore no further action is necessary on your part.

Thus the attackers not only get into your account, but also leave you feeling unsuspicious and unlikely to follow up to see if your account really has been hijacked.

The short but winding road

Here’s a Facebook scam we received recently that tries to lead you down exactly that path, with differing levels of believability at each stage.

The scammers:

  • Pretend that your own Facebook page violates Facebook’s terms of use. The crooks warn that this could to your account being shut down. As you know, the brouhaha currently erupting on and around Twitter has turned issues such as account verification, suspension and reinstatement into noisy controversies. As a result, social media users are understandably concerned about protecting their accounts in general, whether they’re specifically concerned about Twitter or not:

more details: How social media scammers buy time to steal your 2FA codes

Jan 19 2022

Box flaw allowed to bypass MFA and takeover accounts

Category: 2FADISC @ 10:17 am

A vulnerability in the implementation of multi-factor authentication (MFA) for Box allowed attackers to take over accounts without having access to the victim’s phone, Varonis researchers reported.

Box develops and markets cloud-based content management, collaboration, and file-sharing tools for businesses. The platform supports 2FA based on an authenticator application or SMSs.

Varonis Threat Labs researchers disclosed the vulnerability via HackerOne and the company fixed it in November 2021. 

Upon attempting to log into a Box account, the platform sets a session cookie and redirects the user to a form where they need to provide the time-based one-time password (TOTP) generated with an authenticator app (at /mfa/verification) or a code received via SMS (at /2fa/verification).

The researchers pointed out that if the user does not navigate to the SMS verification form, no SMS message will be sent despite the session cookie having been generated. A threat actor can provide the user’s email and password to get a valid session cookie bypassing SMS-based 2FA.

An attacker can easily obtain login credentials for a targeted user from past data breaches or through phishing attacks.

When the user adds an authenticator app, the eBox platform assigns a factor ID and, at login, they are required to provide a one-time password generated by the app along with the credentials.

The experts devised a method to bypass MFA for accounts where SMS-based MFA is enabled by abandoning the SMS-based verification process and initiating TOTP-based MFA instead, technically mixing the MFA modes.

The attacker could access the victim’s account using the correct username and password, but providing a factor ID and code from a Box account and authenticator app associated with an account under his control.

“After the cookie is generated, the threat actor can abandon the SMS-based MFA process (which is what the user is enrolled in) and instead initiate the TOTP-based MFA process—thus mixing MFA modes.” reads the analysis published by Varonis.

“The attacker completes the authentication process by posting a factor ID and code from their own Box account and authenticator app to the TOTP verification endpoint using the session cookie they received by providing the victim’s credentials.” Box did not verify whether the victim was enrolled in TOTP verification and did not validate that the authenticator app used belonged to the user that was logging in. This made it possible to access the victim’s Box account without the victim’s phone and without notifying the user via SMS.”

Below are the attack flow devised by the experts:

  1. Attacker enrolls in multi-factor authentication using an authenticator app and stores the device’s factor ID.
  2. Attacker enters a user’s email address and password on /login.
  3. If the password is correct, the attacker’s browser is sent a new authentication cookie and redirects to: /2fa/verification.
  4. The attacker, however, does not follow the redirect to the SMS verification form. Instead, they pass their own factor ID and code from the authenticator app to TOTP verification endpoint: /mfa/verification.
  5. The attacker is now logged in to the victim’s account and the victim does not receive an SMS message.
Blog Box attack SMSMFA_Diagram_202201_FNL

The platform did not check whether the user was indeed to be the one that was enrolled in TOTP-based MFA or whether the authenticator app belonged to the account that is attempting to log in.

This trick allowed an attacker to log into the victim’s Box account, bypassing SMS-based 2FA.

“We want to underscore that MFA implementations are prone to bugs, just like any other code. MFA can provide a false sense of security. Just because MFA is enabled doesn’t necessarily mean an attacker must gain physical access to a victim’s device to compromise their account,” Varonis concludes.

Tags: bypass MFA

Dec 04 2021

How MFA Can Help Prevent Data Breaches

Category: 2FA,Data BreachDISC @ 2:01 pm

The Current Authentication Landscape

To authenticate a user means to verify that the user is genuine. Classically, the way to authenticate a user is to request their login credentials and ensure those credentials match the credentials stored in your directory service or authentication server. The full history and background of authentication is more complex, but that’s the gist of it. 

The need to ensure users are who they claim to be is critical in the context of today’s hybrid IT infrastructures. Organizational data and apps often exist outside the traditional corporate network perimeter in public cloud services. Furthermore, employees, business partners and contractors are accessing IT resources from home or public locations.

Many security professionals say that identity is the new perimeter. This claim about identity extends to devices and applications, but securing machine identities is another topic altogether. If identity is the new perimeter, then making authentication as secure as possible is paramount to protect your critical assets, including sensitive data about customers and intellectual property. 

Why Passwords Aren’t Enough

In an ideal world, passwords would be sufficient to authenticate users and ensure that they are genuine. Unfortunately, passwords are susceptible to theft, often through poor password hygiene. Whether it’s reusing multiple passwords across different applications or not creating secure enough passwords to begin with, password theft is rife. 

To understand how easy it is to steal a password, consider a study that looked at over 15 billion passwords. The results of this study revealed that the top four most commonly used passwords were:

  1. 123456
  2. 123456789
  3. qwerty
  4. Password

These passwords are all incredibly easy to guess even for a beginner cybercriminal looking to access a corporate network. This is confirmed by the fact that 80% of hacking incidents stem from stolen credentials or passwords guessed using brute force tactics. 

How MFA Can Help Prevent Data Breaches

Multifactor Authentication for E-Commerce: Risk-Based, FIDO Universal Second Factor Implementations for Purchasers

Multifactor Authentication for E-Commerce: Risk-Based, FIDO Universal Second Factor Implementations for Purchasers by [National Institute of Standards and Technology]

Tags: data breach, MFA

Oct 21 2021

Problems with Multifactor Authentication

Category: 2FADISC @ 9:04 am

Tags: authentication, MFA, phishing, Problems with Multifactor Authentication, ransomware, social engineering, Two-factor authentication

May 21 2021


Category: 2FA,Access Control,CryptograghyDISC @ 8:34 am


Mar 16 2021

Using IAM Solutions to Beat Deepfakes and Fraud

Category: 2FA,Access Control,App Security,Identity TheftDISC @ 8:18 am
IAM fraud JumpCloud

AI and ML technologies have made great strides in helping organizations with cybersecurity, as well as with other tasks like chatbots that help with customer service.

Cybercriminals have also made great strides in using AI and ML for fraud.

“Today, fraud can happen without stealing someone else’s identity because fraudsters can create ‘synthetic identities’ with fake, personally identifiable information (PII),” explained Rick Song, co-founder and CEO of Persona, in an email interview. And fraudsters are leveraging new tricks, using the latest technologies, that allow them to slip past security systems and do things like open accounts where they rack up untraceable debt, steal Bitcoin holdings without detection, or simply redirect authentic purchases to a new address.

Some increasingly popular fraud tricks using AI and ML include:

  • Deepfakes that mimic live selfies in an attempt to circumvent security systems
  • Replicating a template across a dozen or more accounts to create fake IDs (these often use celebrity photos and their public data)
  • Mimicking the voice of high-level officials and corporate executives to extort personal information and money
  • Chatbots as phishing tools to gather personal information

“With this pace of evolution, companies are left at risk of holding the bag — they are not only losing money directly through things like loans and fees they can’t recoup and any restitution to impacted customers, but they’re also losing trust and credibility. Fraud costs the global economy over $5 trillion every year, but the reputational costs are hard to quantify,” said Song.

How IAM Tools Can Spot and Prevent High Tech Fraud

Tags: Deepfakes and Fraud, IAM Solutions

Feb 18 2021

Credential stuffing attack hit RIPE NCC: Members have to enable 2FA

Category: 2FA,Access ControlDISC @ 4:03 pm

RIPE NCC announced to have suffered a credential stuffing attack attempting to gain access to single sign-on (SSO) accounts.

The RIPE NCC is a not-for-profit membership association, a Regional Internet Registry and the secretariat for the RIPE community supporting the Internet through technical coordination.

It has over 20,000 members from over 75 countries who act as Local Internet Registries (LIRs) and assign blocks of IP addresses to other organizations in their own country.

The organization mitigated the attack and its investigation confirmed that not SSO accounts have been compromised.

“Last weekend, RIPE NCC Access, our single sign-on (SSO) service was affected by what appears to be a deliberate ‘credential-stuffing’ attack, which caused some downtime,” reads a statement published by the organization.  

“We mitigated the attack, and we are now taking steps to ensure that our services are better protected against such threats in the future. Our preliminary investigations do not indicate that any SSO accounts have been compromised.”

Jan 23 2021

New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys via The Hacker News

Category: 2FA,HackingDISC @ 11:13 pm
cloning google titan security keys

Hardware security keys—such as those from Google and Yubico—are considered the most secure means to protect accounts from phishing and takeover attacks.

But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it.

The vulnerability (tracked as CVE-2021-3011) allows the bad actor to extract the encryption key or the ECDSA private key linked to a victim’s account from a FIDO Universal 2nd Factor (U2F) device like Google Titan Key or YubiKey, thus completely undermining the 2FA protections.

“The adversary can sign in to the victim’s application account without the U2F device, and without the victim noticing,” NinjaLab researchers Victor Lomne and Thomas Roche said in a 60-page analysis.

“In other words, the adversary created a clone of the U2F device for the victim’s application account. This clone will give access to the application account as long as the legitimate user does not revoke its second factor authentication credentials.”

Source: New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys

Sep 09 2020

Remember the Titans: Yubico jangles new NFC and USB-C touting security key

Category: 2FADISC @ 2:55 pm

Apple crowd included – as NFC can now be used for something other than Apple Pay

Apple crowd included – as NFC can now be used for something other than Apple Pay

Security token biz Yubico has a new key out today, its latest-generation two-factor encryption (2FA) authentication unit, the Yubico 5C NFC, which includes support for PCs and mobile devices using USB-C, as well as a built-in NFC radio.

Previous generations of the Yubikey have had USB-C and NFC, but not in a complete package. The most recent NFC-touting device came with an old-school rectangular USB-A connector, liming its usefulness for new computers, which might not include them. The last model offering USB-C lacked NFC — although it did come with a built-in Lightning plug, effectively covering all the bases of the mobile market.

Source: Remember the Titans: Yubico jangles new NFC and USB-C touting security key

Yubikey 5C NFC

Apr 17 2019

Two-factor authentication: A cheat sheet

Category: 2FA,Cheat SheetDISC @ 10:55 am

A password alone will not protect sensitive information from hackers–two-factor authentication is also necessary. Here’s what security pros and users need to know about two-factor authentication.

Source: Two-factor authentication: A cheat sheet

 Subscribe in a reader

Tags: 2FA, two factor auth

Mar 29 2019

Google’s most secure logon system now works on Firefox and Edge, not just Chrome

Category: 2FA,App SecurityDISC @ 3:26 pm

Better hardware security key support means our post-password future is one step closer to reality.

Source: Google’s most secure logon system now works on Firefox and Edge, not just Chrome

Subscribe to DISC InfoSec blog by Email

Mar 28 2019

How to set up two-factor authentication on all your online accounts

Category: 2FA,App SecurityDISC @ 1:47 pm

2FA is an important step in preventing your account from being accessed by unauthorized users — here’s how to enable 2FA on your accounts across the web.

Source: How to set up two-factor authentication on all your online accounts