Post-Tycoon 2FA Takedown: Phishing Ecosystem Adapts and Evolves

Severity: High (Score: 67.5)

Sources: Scworld, Petri, Darkreading, Ciso.Economictimes.Indiatimes

Summary

Following the takedown of Tycoon 2FA, a major phishing-as-a-service platform, the phishing landscape has rapidly shifted. Tycoon 2FA, which previously accounted for over 9 million attacks per month, saw its activity drop by 77% but still managed to conduct over 2 million attacks after the disruption. Competitors like Mamba 2FA, EvilProxy, and Sneaky 2FA have absorbed Tycoon's tactics and tools, leading to an increase in their phishing activities. Mamba 2FA's attacks surged to over 15 million per month, while EvilProxy and Sneaky 2FA also experienced significant growth. The techniques employed by Tycoon 2FA, including adversary-in-the-middle phishing and session cookie theft, continue to be utilized by other platforms, indicating a resilient and evolving phishing ecosystem. Security experts recommend focusing on broader phishing techniques rather than individual brands to effectively combat these threats. Key Points: • Tycoon 2FA's takedown led to a 77% drop in its activity, but it still conducted over 2 million attacks. • Mamba 2FA's attacks surged to over 15 million per month, filling the void left by Tycoon. • Phishing techniques from Tycoon 2FA continue to thrive across other platforms, indicating a resilient ecosystem.

Key Entities

• Phishing (attack_type)
• CWE-287 - Improper Authentication (cwe)
• onmsft.com (domain)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• T1566.003 - Spearphishing Via Service (mitre_attack)
• T1566 - Phishing (mitre_attack)
• EvilProxy (tool)
• Mamba 2FA (tool)
• Sneaky 2FA (tool)
• Tycoon 2FA (tool)
• Whisper 2FA (tool)