High-end Fraudster's Toolkit Leverages Advanced Hiding Techniques to Camouflage Malicious URLs
In the ever-evolving world of cybercrime, the Tycoon phishing kit has emerged as a significant threat on the dark web. This Phishing-as-a-Service (PhaaS) platform, operated by the cybercriminal group known as Silent Starling, offers advanced capabilities to attackers looking to launch phishing campaigns.
One of the key features of the Tycoon phishing kit is its use of URL encoding. This technique is designed to confuse automated detection systems and ensure the links aren't blocked. The URL encoding process not only obscures the structure of malicious links but also adds odd characters, including a Unicode symbol that looks like a dot but isn't one.
Tycoon's URL encoding is particularly effective in phishing emails that masquerade as voicemail messages from trusted accounting services. In these emails, the Tycoon phishing kit uses URL encoding that inserts a series of invisible spaces into the web address using the code '%20'. This makes the user think they are dealing with a legitimate Microsoft subdomain, but the last part of the web address is an attacker-owned phishing site.
Another approach used by the Tycoon phishing attacks is subdomain abuse. By creating fake websites with names seemingly linked to well-known companies, such as 'office365Scaffidips.azgcvhzauig.es', Tycoon aims to deceive users into believing they are accessing a legitimate site.
Moreover, the Tycoon phishing kit employs the '@' symbol in a web address, with everything before the '@' treated as 'user info' by browsers. This technique makes the active part of the link look benign and legitimate, and avoids arousing suspicion. The link's actual destination comes after the '@' symbol.
To further complicate matters, Tycoon uses the Redundant Protocol Prefix technique. This involves URLs with partially hyperlinked or invalid elements to hide the real destination of the link. Examples of this technique include URLs with 'https' or no '//'.
In addition to these techniques, the Tycoon phishing kit has developed tools to bypass detection and multi-factor authentication (MFA). These advanced capabilities make it a formidable threat in the phishing landscape.
The use of these new techniques by the Tycoon phishing kit is a response to the improved capabilities of email security tools to detect and block dangerous links. As the battle against cybercrime continues, it is crucial for users and businesses to stay vigilant and aware of these evolving threats.
