Tycoon 2FA, the alleged
phishing-as-a-service provider, has expanded and is increasingly using Spanish-language domains (es), according to a recent analysis by DNSFilter.
Active since 2023, Tycoon2FA is a
sophisticated PhaaS platform that specializes in “adversary-in-the-middle attacks” to bypass multi-factor authentication, according to DNSFilter.
To paraphrase the report,
Tycoon 2FA relies on short-lived, burnable Fully Qualified Domain Names (FQDNs) hosted on longer-lived root domains, creating a two-tier system, DNSFilter contends.
We’re in no
position to confirm these allegations. Let’s just forget the company name and say that any number of players are using these techniques.
For this report, DNSFilter’s
researchers analyzed 11,343 unique FDQNs. They found these strategies at work:
- A coordinated surge in Spanish domain infrastructure — 13 .es domains were activated on
April 7, and researchers detected sustained activity with such domains through June
- Enhanced obfuscation techniques – Offenders use
“nested encoding schemes that go deep within encrypted blobs and implements of Base91 encoding alongside traditional Base64,” DNSFilter says.
- Evidence of
target-specific subdomain operations — This entails creating or identifying subdomains within a larger domain name tailored for a particular purpose or
audience, DNSFilter says.
advertisement
advertisement
Add it all up, and it means difficulty for honest email marketers. First, there is the problem of overcrowded inboxes.
Second, consumers may be worried about opening any email.
“Our research underscores the fact that bad actors continue to evolve their methods and become more sophisticated,”
says Will Strafach, head of security intelligence & solutions, DNSFilter.
Strafach adds: “To stay safer amid this surge, organizations need to implement wildcard domain
blocking for all 65 root domains that DNSFilter found and monitor for subdomain pattern matching.”