Thank you for your interest in Obsidian! Please enter your information in the form and we will contact you shortly to schedule a demo.
This blog details how Obsidian detects and blocks the latest version of Tycoon, an adversary-in-the-middle (AiTM), Phishing-as-a-Service (PhaaS) platform that leverages a reverse proxy to intercept and replay credentials and MFA prompts.
This new version of Tycoon has recently received press from Forbes [1], Dark Reading [2], TechRadar [3], and others.
Sekoia wrote a great article detailing how the Tycoon phishing kit has been updated with new obfuscation and anti-detection capabilities. This phishing kit uses a reverse proxy to intercept and replay credentials and MFA prompts, allowing them to defeat most MFA factors, including SMS, TOTP, Push, and Number Matching.
Phishing kits that leverage a reverse proxy are growing rapidly. Caffeine, EvilProxy, NakedPages, Dadsec, and Tycoon are documented kits, and open-source options include Muraena, Evilginx, and Modlishka.
First, lets find some recent Tycoon phishing websites.
Using the latest technique suggested by Sekoia, we’ll search urlscan.io for the following:
filename:(“code.jquery.com/jquery-3.6.0.min.js” AND “challenges.cloudflare.com/turnstile/v0/api.js”)
hash:5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
We receive some recent results:
Investigating the first result, we can confirm that TycoonGroup has implemented Cloudflare’s captcha/turnstile to prevent security crawlers and email security products (like ESGs) from observing the website.
This isn’t a problem for Obsidian, as we inspect all content and network traffic for the entire browsing session, evading any countermeasures such as Cloudflare’s anti-bot/turnstile capability.
Once we observe the final landing page, which looks like a Microsoft login page, we detect these visual and structural similarities and block the user from submitting any credentials.
See it in action here:
Details:
Want to learn more and protect your organization from these attacks? Contact our team here.