GoKawiilIn the wake of a major takedown of phishing's biggest brand name, Tycoon 2FA, phishers worldwide have scattered. Some have stuck around, but many have moved to other phishing service providers, and some seem to be jumping on a fast-growing trend toward device code phishing.
It would be shortchanging Tycoon 2FA to merely distinguish it as the world's premiere phishing-as-a-service (PhaaS) group. A year ago, it accounted for nearly 90% of all PhaaS activity everywhere, according to data from Barracuda. It essentially owned the PhaaS ecosystem.
The ecosystem evolved, though, and earlier this year Barracuda attributed just less than half of the PhaaS market to Tycoon, with Mamba 2FA not far behind. Then a coordinated law enforcement takedown knocked out 330 of its active domains. It's still alive and kicking, but its output has dropped from more than 9 million attacks per month to just over 2 million.
Related:How NIST's Cutback of CVE Handling Impacts Cyber Teams
It would be incorrect, though, to infer from those figures that law enforcement caused an 80% drop in phishing activity. Whenever the feds clip major cybercrime rings, the threat actors involved don't just hang up their keyboards and find a job. They scatter. The way Tycoon 2FA associates seem to be scattering is particularly interesting, as it mirrors some much larger trends researchers are observing in the phishing threat landscape.
PhaaS Power Politics
When it comes to such a behemoth as Tycoon 2FA, "You can't expect one takedown to completely eliminate every aspect of these operations," says Merium Khalid, director of SOC offensive security with Barracuda's office of the chief technology officer (CTO). "The way you want to look at it is: They took down the operations, but the infrastructure, the tactics, the techniques, and the code behind everything is still there."
While Tycoon has been licking its wounds, groups like EvilProxy and Sneaky 2FA have stepped into the power vacuum it's left behind. EvilProxy attacks per month rose from just under 3 million to just over 4 million around the time of the takedown, and Sneaky 2FA rose from under 700,000 to nearly 2 million.
The group that's benefited the most, though, is Tycoon's formerly largest competitor, Mamba 2FA. Mamba was responsible for nearly 8 million attacks per month before Tycoon was punched in the nose. Now it's churning out more than 15 million per month — a nearly 100% surge in mere weeks.
Like immigrants to new countries, as the hackers have migrated from one phishing service provider to another, they've taken what they know with them. "The [Tycoon 2FA] tools and the code and the techniques are actually now in the hands of their competitors like Mamba and EvilProxy. So I think we're going to be seeing more sophisticated phishing-as-a-service attacks and techniques out there."
... continue reading