According to a new phishing tactic, adversaries can defeat multi-factor authentication (MFA) by having victims connect to their accounts directly on attacker-controlled servers using the VNC screen sharing system. Bypassing multi-factor authentication (MFA) installed on the intended victim’s email accounts is one of the most challenging impediments to successful phishing attempts.
Even if threat actors can persuade users to input their credentials on a phishing site, if MFA protects the account, truly compromising the account requires the victim’s one-time passcode. Phishing kits have been upgraded to employ reverse proxies or other means to obtain MFA codes from unwary victims to access a target’s MFA-protected accounts. On the other hand, companies are becoming aware of this technique and have begun implementing security measures that restrict logins or cancel accounts when reverse proxies are found.
Mr.d0x, a security researcher, sought to develop a phishing attack on the client’s workers to get corporate account credentials while conducting a penetration test for a customer. Mr.d0x put up a phishing attack employing the Evilginx2 attack framework, which operates as a reverse proxy to steal passwords and MFA codes because all accounts were configured with MFA. When the researcher ran the test, he discovered that Google blocked logins to detect reverse proxies or man-in-the-middle (MiTM) attacks.
According to mr.d0x, this was a new security feature developed by Google in 2019, expressly to avoid these sorts of attacks. He also said that websites like LinkedIn identify man-in-the-middle (MiTM) attacks and deactivate accounts following successful logins.
To get around this, mr.d0x devised a sophisticated new phishing method that employs the noVNC remote access software and browsers in kiosk mode to display email login prompts hosted on the attacker’s server but displayed in the victim’s browser. VNC is a remote access program that allows users to connect to and control the desktop of a logged-in user. Most users use specific VNC clients to connect to a VNC server, which opens the remote desktop similar to Windows Remote Desktop.
However, an application called noVNC allows users to connect to a VNC server directly from within a browser by merely clicking a link, where the researcher’s novel phishing approach comes into play. It is explained in a new report by mr.d0x on his new phishing technique.