A devious, new phishing technique allows adversaries to bypass multi-factor authentication (MFA) by secretly having victims log into their accounts directly on attacker-controlled servers using the VNC screen sharing system.
One of the biggest obstacles to successful phishing attacks is the difficulty they the attacker has trying to bypass multi-factor authentication (MFA) configured on the targeted victim’s email accounts.
Even if threat actors can convince users to enter their credentials on a phishing site, if MFA protects the account, fully compromising the account still requires the one-time passcode sent to the victim.
To gain access to a target’s MFA-protected accounts, phishing kits have been updated to use reverse proxies or other methods to collect MFA codes from unwitting victims.
However, companies are catching on to this method and have begun introducing security measures that block logins or deactivate accounts when reverse proxies are detected
VNC to the rescue
While conducting a penetration test for a customer, security researcher mr.d0x attempted to create a phishing attack on the client’s employees to gain corporate account credentials.
As the accounts were all configured with MFA, mr.d0x set up a phishing attack using the Evilginx2 attack framework that acts as a reverse proxy to steal credentials and MFA codes.
When conducting the test, the researcher found that Google prevented logins when detecting reverse proxies or man-in-the-middle (MiTM) attacks.
mr.d0x told BleepingComputer that this was a new security feature added by Google in 2019, specifically to prevent these types of attacks.
The researcher also told BleepingComputer that websites, such as LinkedIn, detect man-in-the-middle (MiTM) attacks and deactivate accounts after successful logins.
To overcome this obstacle, mr.d0x came up with a devious new phishing technique that uses the noVNC remote access software and browsers running in kiosk mode to display email login prompts running on the attacker’s server but shown in the victim’s browser.
VNC is a remote access software that allows remote users to connect to and control a logged-in user’s desktop. Most people connect to a VNC server through dedicated VNC clients that open the remote desktop in a similar manner to Windows Remote Desktop.
However, a program called noVNC allows users to connect to a VNC server directly from within a browser by simply clicking a link, which is when the researcher’s new phishing technique comes into play.
“So how do we use noVNC to steal credentials & bypass 2FA? Setup a server with noVNC, run Firefox (or any other browser) in kiosk mode and head to the website you’d like the user to authenticate to (e.g. accounts.google.com),” explains a new report by mr.d0x on his new phishing technique.
“Send the link to the target user and when the user clicks the URL they’ll be accessing the VNC session without realizing. And because you’ve already setup Firefox in kiosk mode all the user will see is a web page, as expected.”
Using this configuration, a threat actor can send out targeted spear-phishing emails that contain links that automatically launch the target’s browser and log into the attacker’s remote VNC server.
These links are highly customizable and allow the attacker to create links that don’t look like suspicious VNC login URLs, such as the ones below:
As the attacker’s VNC server is configured to run a browser in kiosk mode, which runs the browser in full-screen, when the victim clicks on a link they will simply see a login screen for the targeted email service and login as normal.
However, as the login prompt is actually being displayed by the attacker’s VNC server, all login attempts will happen directly on the remote server. mr.d0x told BleepingComputer that once a user logs into the account, an attacker can use various tools to steal credentials and security tokens.
Even more dangerous, this technique will bypass MFA as the user will enter the one-time passcode directly on the attacker’s server, authorizing the device for future login attempts.