Source: Storyblocks
Phishing-as-a-Service (PhaaS) tool provider Tycoon2FA has been updating its phishing kit with advanced evasion tactics lately. These include custom CAPTCHA via HTML5 canvas, invisible Unicode in hidden JavaScript, and anti-debugging scripts to bypass detection by browsers and security researchers.
Security researchers at Trustwave spotted these new evasion tactics. Their report claims the new behaviour is being demonstrated on a Tycoon2FA phishing landing page available as a Urlscan.io session. The report also includes YARA rules for page detection. It warns researchers to practice behaviour-based browser sandboxing and take a deeper look into the JavaScript behind a page and its patterns to spot any phishing pages in the wild.
While most browsers can warn users of usual phishing pages, these new tactics can help phishing sites avoid being flagged. First, invisible Unicode in JavaScript can help encode binary data in pages. These pages sit on the internet until the attacker wants to execute a script, in which case binary characters are encoded using invisible Unicode characters. The script runs on the target’s system without any visible network or system activity indication.
Tycoon2FA also replaces third-party CAPTCHAs like Cloudflare Turnstile with its custom HTML5 canvas-based elements. Previously, security teams could easily fingerprint and block phishing pages using “recognisable third-party elements.”
However, Tycoon’s new HTML5 CAPTCHAs are rendered using HTML5 canvas elements with random characters, background noise, and slight distortions. If the CAPTCHA verification is successful, the form data is sent, and instructions from an attacker-controller server are forwarded to the page. This helps the page blend into “legitimate login workflows while allowing the attacker to serve decoys or reroute victims dynamically.”
The group has also been adding anti-debugging JavaScript into its web pages. This script is capable of:
- Detecting browser automation
- Block dev tool shortcuts such as F12, Ctrl+Shift+I, Ctrl+U, and more.
- Preventing right-clicking on the page, effectively blocking the inspect element feature.
- Using a debugger with a timing check to check if another debugger pauses execution.
Security researchers or even regular people can use these tools to peek under a website’s hood and see the underlying code for themselves. Anti-debugging JavaScript scripts can also redirect visitors to another website if they suspect the visitor is analysing the website.
This makes the dynamic analysis of phishing pages much harder for security experts. Combined with code obfuscation, these techniques can extend the lifespan of phishing campaigns, allowing them to target more victims before eventually being taken down.
In the News: China jails 9 for scamming over 66,000 Indians
