Novel phishing method deceives users with ubiquitous IT support tool

Mockup of a hook fishing an email icon out of the ocean

A cyber security researcher has documented a novel phishing method that involves cyber criminals harnessing digital network computing (VNC) technology on a personal server to launch a wide range of attacks.

Utilizing the open up resource noVNC customer, the phishing method permits successful attackers to start destructive code into a victim’s browser, plant a keylogger, and passively notice all person exercise.

The researcher, who goes by the name mr.d0x. statements the process of attack bypasses two-factor authentication (2FA), which includes Google’s 2FA protocol made use of for the likes of Gmail and Google accounts, and facilitates the thieving of qualifications. 

The phishing technique correctly acts as a VNC consumer for the attacker to remotely check and entry a user’s surroundings, generating a gentleman-in-the-middle (MITM) attack.

The technology is frequent in present day firms, with workforce remaining acquainted with IT guidance teams accessing their pcs remotely to solve complex issues. 

The original deception is realized in a common phishing structure – a strategically crafted email presents a backlink the person requires to click on on. The moment clicked, the consumer is taken to a immediate server run by the attacker, somewhat than a destructive web website page.

The attack can be released against individuals employing any browser, theoretically like ones on cellular gadgets, though the researcher stated they had issues in executing the attack on smartphones. 

There are some shortcomings with the approach, the researcher claimed, like the issue whereby the attacker has to present control of their machine to the sufferer in order for the attack to perform.

It’s also attainable that specified the mother nature of VNC software package, there may possibly be some recognizable enter lag for the target, supplying an indicator that the web site is not authentic.

This is now a proof of concept type of phishing attack with no known actively exploited conditions in the wild, while remote accessibility to firms is reportedly on the rise in a string of burgeoning dark web operations.

“Browsers are much more potent than ever and the use of browsers as consumers for distant access provides new means for attackers to steal credentials, bypass 2FA, and extra,” stated the researcher. “I strongly imagine that what I’ve demonstrated in this write-up is only a smaller part of what this approach can be utilized for.”

noVNC attack breakdown

The attacker initial requires to deploy a Linux equipment by means of a cloud provider supplier any supplier or Linux distro is fine. Firefox is superior for this, the researcher mentioned, but any browser with a kiosk mode will also work.

Once the Linux instance is up and working, the attacker then requirements to install VNC computer software these types of as TightVNC or TigerVNC in advance of managing some personalized instructions to make certain the environment is effectively configured for the attack. The noVNC javascript library and software can then be downloaded from GitHub and set up much too.

A web browser wants to be working in the deployment and displaying the authentication web page from which the attacker desires to steal credentials, such as Google’s login web site. The attacker can use any browser, Firefox is good here, but it should be managing in kiosk manner. 

This method is effective in spear phishing campaigns but will face issues if despatched to various targets due to the fact they will be sharing the very same VNC session. 

However, the method can be modified and automated so distinct customers access various VNC classes by assigning customers to unique ports.

Some areas of this posting are sourced from:
www.itpro.co.uk