As we all know, the most effective protection against phishing attacks is to deploy multi-factor authentication (MFA) on your email account.
Even if an attacker can use a phishing website to obtain a login account and password, if MFA is deployed, verification is still required when logging into the account. Because of this, MFA is seen as an effective way to prevent phishing and is widely deployed by enterprises.
However, security researchers have found that a new type of phishing attack can bypass MFA, and enterprise users need to pay close attention. The specific attack method is that the attacker uses the VNC screen sharing system to let the targeted user log in to their account directly on the server controlled by the attacker so that the MFA can be bypassed.
VNC is the key to bypassing MFA
While conducting penetration tests for a company, security researcher Mr.d0x attempted to launch a phishing attack on employees in order to obtain the account password to log into the system. But because the company deployed MFA, regular phishing attacks were blocked.
Mr.d0x said that this is a new security feature added by Google in 2019 to block the commonly used “reverse proxy or man-in-the-middle (MiTM) attack”, once such an attack is detected, MFA will issue a corresponding alert and temporarily deactivate the email account.
In response, Mr.d0x has figured out a new type of phishing attack technique, using noVNC remote access software and a browser running in kiosk mode to display the email login prompts displayed on the attacker’s server, but the email login prompt displayed in the victim’s browser successfully bypassed the MFA.
VNC is a remote access software that allows remote users to connect to and control the desktops of logged-on users. Most people connect to VNC servers through dedicated VNC clients that run in a manner similar to Windows Remote Desktop. However, the noVNC program allows the user to connect directly from within the browser to the VNC server by clicking the link, which gives the attacker the possibility of bypassing the MFA.
Mr.d0x said that when users clicked on the link sent by the attackers, they would not realize that they had visited the VNC server and because Firefox had been set to kiosk mode before, the user saw only a web page.
In this way, the attacker could send a targeted spear-phishing email with a link that automatically launches the targeted browser and logs in to the attacker’s remote VNC server.
These links are all tailored, so they often don’t look like links to suspicious VNC login URLs:
Example[.]com/index.html?id=VNCPASSWORD
Example[.]com/auth/login?name=password
Since the attacker’s VNC server runs the browser in kiosk mode, that is, in full-screen mode, when the target user clicks on the link, they will only see the login page of the target email service and log in normally. This means that all of the user’s login attempts will occur directly on the remote server.
Once the user logs in to the account, the attacker can use various tools to steal the account password and security token without the user’s knowledge. Therefore, this attack technique can bypass the MFA, and the user will enter the authentication password on the attacker’s server to authorize the device to log in for the next time.
conclusion
If such an attack is only targeted at a small number of people, the attacker can authorize the device to log into that account smoothly in the future by simply logging into their email account through a VNC session.
Since VNC allows multiple people to monitor the same session, an attacker could disconnect and target the user’s session after the account has logged in and connected to the same session later to access the account and all of its emails.
Although this attack method has not yet appeared, Mr.d0x shows concern, and he believes that similar attacks are likely to occur in the future. Therefore, enterprises and users should take corresponding countermeasures in advance to improve their vigilance and avoid falling into the trap of email phishing attacks.
Mr.d0x said that no matter how the attack method of phishing emails changes, the most effective protection advice is the same: don’t click on the links in strange emails, don’t download files in strange emails, and be skeptical of all strange emails.
