A new phishing technique allows cybercriminals to avoid Multi-factor Authentication (MFA). The technique involves secretly having victims log into their accounts on attacker-controlled servers using the VNC.
The new phishing technique
A security researcher named mr.d0x was performing pen-testing for a corporation and ended up creating a phishing attack on the client's employees to obtain account credentials.
The researcher created a phishing attack using remote access software (noVNC) and browsers running in kiosk mode to show email login prompt running on the attacker's server shown in the victim's browser.
In the attack, the Evilginx2 attack framework was used, which acts as a reverse proxy to steal credentials/MFA codes.
This phishing technique circumvents MFA as the user will input the one-time passcode on the attacker's server directly and authorize the device for future login as well.
Why use noVNC?
VNC allows remote users to connect to and control a logged-in user's desktop. However, noVNC software allows users to connect to a VNC server from within a browser by just clicking on a link.
How does the attack work?
The aim of these attacks is to make users click on a customized malicious link that dupes the victims as if they are working on their own browser, while it operates on the remote machine via noVNC.
To begin, the attacker needs to set up a server with noVNC, run any browser in kiosk mode, and head to the genuine website the attacker wants the user to authenticate (e.g. accounts.google.com).
The attackers send a link to the target user, mostly using spear-phishing emails. These links will automatically launch the target's browser and log into the attacker's remote VNC server without realizing it.
The links are customizable and do not look like suspicious VNC login URLs. When a victim clicks on a link they will simply see a login screen.
Once a user is logged in, the attacker can use different tools to steal credentials or security tokens.
The demonstrated phishing technique has not been used in real-world attacks yet. However, the researcher suspects that it could be used in the future. Therefore, it is recommended to never click on URLs from unknown senders. Further, users should stay alert while receiving any email—especially asking for a login and inspecting links for unusual domains.