Cybercriminals are deploying increasingly sophisticated methods to bypass security systems, with the latest threat emerging from the advanced Tycoon phishing-as-a-service kit.
This malicious platform has introduced novel techniques designed to obscure dangerous links, making them nearly invisible to traditional detection systems while maintaining their effectiveness against unsuspecting victims.
The Tycoon phishing kit represents a significant evolution in email-based attacks, leveraging carefully crafted voicemail messages and fake accounting service notifications to lure targets.
Carefully crafted and tailored voicemail messages (Source – Barracuda)
Unlike conventional phishing campaigns that rely on obvious malicious indicators, Tycoon employs advanced URL encoding and structural manipulation techniques that fundamentally alter how links appear to both security tools and human recipients.
Barracuda analysts identified the emergence of these sophisticated evasion tactics during recent investigations into credential-stealing campaigns.
The researchers discovered that attackers are now combining multiple obfuscation methods to create hybrid threats that challenge existing security paradigms.
The most concerning aspect of Tycoon’s approach involves its use of URL-encoding techniques that insert invisible spaces using the ‘%20’ code throughout web addresses.
This method pushes malicious components beyond the scanning range of automated security systems while maintaining functional links for victims who click them.
The technique also incorporates Unicode symbols that visually resemble standard punctuation but possess entirely different underlying code structures.
Advanced Link Manipulation Techniques
The core innovation within Tycoon’s arsenal lies in its Redundant Protocol Prefix technique, which creates partially hyperlinked URLs containing deliberate structural inconsistencies.
Attackers craft addresses featuring duplicate protocol declarations or missing essential components, such as incorporating two ‘https’ prefixes or omitting the standard ‘//’ separator.
This manipulation ensures that security scanners encounter parsing errors while browsers still interpret the functional portions correctly.
Consider this example implementation:-
hxxps:office365Scaffidips[.]azgcvhzauig[.]es\If04
In this structure, everything preceding the ‘@’ symbol appears legitimate to recipients, featuring trusted brand references like ‘office365’.
However, the actual destination follows the ‘@’ symbol, directing victims to attacker-controlled infrastructure. The technique exploits browser interpretation protocols that treat pre-‘@’ content as user authentication information rather than the primary destination.
Credential-stealing phishing page (Source – Barracuda)
The subdomain abuse component further enhances the deception by creating seemingly legitimate Microsoft-affiliated addresses.
While ‘office365Scaffidips’ suggests official Microsoft infrastructure, the true destination ‘azgcvhzauig.es’ represents a completely separate, malicious domain designed for credential harvesting.
These evolving techniques demonstrate how modern phishing operations are adapting to security improvements, requiring organizations to implement multilayered defense strategies incorporating artificial intelligence and machine learning capabilities to identify these sophisticated threats effectively.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post Tycoon Phishing Kit Employs New Technique to Hide Malicious Links appeared first on Cyber Security News.
