[Game Dev Tycoon Download Full Version Crack
Addison Mauldin
To answer your question: Mods are unfortunately not supported on the Windows Store version due to security restrictions for Store apps. We plan to update the Windows Store version to bring it in line with recent updates in the next weeks.
To enhance our threat intelligence, improve detection and identify new threats, Sekoia analysts engage in continuous hunting to address the main threats affecting our customers. For this, we proactively search and identify emerging threats, using our telemetry data, internal tools and external services.
In October 2023, our daily threat hunting routine led us to uncover a new Adversary-in-The-Middle (AiTM) phishing kit allegedly used by multiple threat actors to carry out widespread and effective attacks. Our investigation revealed that this kit was associated with the Tycoon 2FA Phishing-as-a-Service (PhaaS) platform, which had been active since at least August 2023.
At this time, the Sekoia Threat Detection & Research (TDR) team conducted an in-depth analysis of the Tycoon 2FA PhaaS kit and shared1 some of our findings with the cybersecurity community on Twitter. Since then, we have been actively monitoring the infrastructure of Tycoon 2FA phishing pages, campaigns leveraging the kit, source code updates, and activities of the alleged developer.
Our monitoring of the prominent PhaaS kit revealed that Tycoon 2FA has become one of the most widespread AiTM phishing kits over the last few months, with more than 1,100 domain names detected between late October 2023 and late February 2024.
In mid-February 2024, we identified a new emerging version of the Tycoon 2FA that was widely distributed in the wild. This new version enhances its obfuscation and anti-detection capabilities and changes network traffic patterns. In response to these developments, Sekoia analysed the changes and highlighted the new infrastructure.
This blog post aims to present an in-depth analysis of Tycoon 2FA and the recent developments we spotted in the phishing kit. Additionally, this report provides tracking opportunities to actively monitor the infrastructure and mitigate risks associated with Tycoon 2FA.
In October 2023, our threat hunting for evasive phishing campaigns identified the massive use of QR codes redirecting to several AiTM phishing kits. While some of them were already known and monitored by us, such as Caffeine, Dadsec, EvilProxy and NakedPages, others were unfamiliar to us. Analysing unknown phishing pages led us to identify a growing infrastructure of hundreds of similar AiTM phishing pages.
The threat actor, who is also the alleged developer of the phishing kit, sells ready-to-use Microsoft 365 and Gmail phishing pages, as well as attachment templates, starting at $120 for 10 days, with prices increasing depending on the TLD. In March 2023, the phishing service provided several domain name extensions, including .ru, .su, .fr, .com, .net and .org.
First, the Dadsec OTT and Tycoon 2FA administration panels are almost identical in content and design, as shown in Figure 4. On both platforms, we find the logo of the PhaaS in the top right-hand corner, the same statistical data categories (Bots Blocked, Total Visits, Valid Login, SSO Login and Invalid Login), similar main tabs (Settings and Clear Logs), and an almost identical UI design, with the same table, buttons, font, etc.
Second, the Dadsec OTT and Tycoon 2FA phishing kits operate in a similar way. To protect from bot traffic, both phishing pages first challenge the user with a test using Cloudflare Turnstile. Both of them use custom HTML pages to embed the Cloudflare CAPTCHA alternative (see Figure 5):
Once the challenge is passed, the two phishing pages display a page mimicking Microsoft authentication. The workflow to retrieve, deobfuscate and process the fake authentication page differ between both phishing kits.
Sekoia analysts assess with high confidence that the alleged developer of the Tycoon 2FA PhaaS had access to and partially reused the source code of the Dadsec OTT phishing kit. It is plausible that the Tycoon 2FA developer forked the code of the Dadsec OTT administration panel and developed the core functions of the new AiTM phishing kit, including the front-end HTML code of the phishing pages and the back-end code for the authentication process.
The customers of the Tycoon 2FA PhaaS mainly distribute their phishing pages using redirections from URLs and QR code, which are embedded in email attachments or email bodies. The Tycoon 2FA service provides their clients with templates of phishing attachments (HTML pages), aiming at offering ready-to-use decoy documents, and making it easier for cybercriminals to carry out their campaigns.
For example, some PDFs use human resources, financial, or security-themed lures to convince the target into following the next steps up to sharing their credentials and resolving the MFA challenge. Sekoia observed decoys impersonating DocuSign, Microsoft, Adobe, among others (see Figure 1).
Most of the phishing campaigns carried out by the Tycoon 2FA customers seem to target organisations worldwide, by sending large volumes of phishing emails. Some of the customers focus on identifying and targeting employees in the financial, accounting, or executive departments to take advantage of their access through fraud or use of privileged information.
If the first step of the authentication using the email address and password succeeds, the JavaScript code is then responsible for handling user interactions and form validation of the phishing page. It also updates the HTML page with the fake Microsoft page implementing the 2FA method. For this, it implements numerous conditional statements depending on the user inputs and responses of the Microsoft server. Some elements to be displayed on the phishing page are also received by the WebSockets, including the final redirection page, or the message error if the Microsoft API denies the 2FA challenge.
Using commercial proxy servers, the Tycoon 2FA phishing pages relay the user inputs, including the email address, the password, and the 2FA code, to the legitimate Microsoft authentication API. The response to the Microsoft API traffic returns the appropriate pages and information to the user.
Due to its position in the middle of the authentication process, the C2 server captures all relevant data and notably the session cookies, allowing the cybercriminals to replay a session and therefore bypass the MFA.
Regarding the redundancy of this communication, Sekoia analysts believe that the developer did not invest significant effort in optimising the code of the phishing kit, revealing that this phishing kit is not as sophisticated as some other PhaaS competitors such as Caffeine.
From the rendering of the fake Microsoft page to the closure of the phishing page by the user, the C2 server collects harvested data and status of the operations using WebSockets. It also communicates to the user web browser some elements to build the following phishing pages.
The latest version of Tycoon 2FA introduced changes to the JavaScript and HTML codes responsible for its main phishing capabilities. Additionally, the phishing page retrieves its various resources in a different order and filters unwanted traffic more widely to reject those from bots or analysis.
By comparing two versions of the Tycoon 2FA phishing kit, we identified similar deobfuscation functions and core functionalities. However, notable changes were made to the structure of the different stages.
This query relied on the specific names of two CSS files used by the phishing kit to replicate login pages. By March 2024, this heuristic yielded over 3,000 results on urlscan, all associated with high confidence with Tycoon 2FA phishing pages.
This query is based on the specific generated name of the JavaScript code embedding the fake Microsoft login page and the Cloudflare Turnstile challenge. By March 2024, this heuristic yielded over 4000 results on urlscan, all strongly associated with Tycoon 2FA phishing pages.
This query is based on the specific names of JavaScript code implementing core capabilities of the Tycoon 2FA phishing kit, such as exfiltration using WebSockets, and dynamically building the 2FA relaying pages. By March 2024, this heuristic yielded around 3,000 results on urlscan, associated with high confidence with Tycoon 2FA phishing pages.
However, recent changes in Tycoon 2FA led to the renaming and modification of these specific resources. Also, they are not loaded until the Cloudflare Turnstile challenge is resolved. Therefore, the phishing pages of the latest version no longer load these specific resources when analysed by URL scanning services.
When scanning a Tycoon 2FA phishing page using the latest version, only requests of stages 0 and 1 are sent, as the Turnstile challenge must then be solved first. If no redirection steps precede the URL of the phishing page, the scan results in 5 requests, e.g.:
This query uses the number of requests and the data size of all resources. In March 2024, this heuristic yielded over 700 results on urlscan that we associated with medium confidence with Tycoon 2FA phishing pages.
Tracking Tycoon 2FA is more complex since the developer enhanced the stealth capabilities of the phishing kit. Even though we cannot use characteristic filenames to continue tracking the phishing pages, Sekoia found heuristics by correlating the legitimate resource names with the response of the central C2 server, or the length of the data as well as the size of the resources.
Over the last few months, the wallet dynamics (incoming transactions and associated amounts) align with the observed Tycoon 2FA PhaaS activities. Indeed, the prices publicly announced by the service range between $120 and $320. Additionally, the operator of the PhaaS mentioned that the customers have to pay an extra charge for any domain change, which could explain transactions of a few dozen dollars.
795a8134c1