A new phishing strategy enables threat actors to bypass the multi-factor authentication (MFA) functionality using a new phishing technique that involves discreetly having targets log into their account on an attacker-operated server via remote access software.
Based on reports, a researcher performed a pen-testing for an organisation and accidentally found a phishing activity on the client’s workers that acquire account information using remote access software called noVNC. The kiosk mode browsers showed an email login prompt activated on an attacker’s server identified in the victim’s browser.
In addition, a phishing attack called the Evilginx2 framework was utilised by threat actors, which acts as a reverse proxy to exfiltrate MFA codes and credentials. It can also bypass the MFA as the target user will input the one-time password on the threat actor’s server.
The phishing attack used the VNC to allow remote threat actors to connect and control a logged-in user’s personal computer. On the other hand, noVNC software enables users to link with a VNC server from within a browser by clicking on an attached link.
These campaigns aim to ensure the users click on a modified link that baits them as if they are operating on their browser authentically while it runs on the remote access software.
To start the campaign, the threat actors need to set up a server with noVNC, operate any browser in Kiosk mode, and go to the legitimate website the threat actors want the user to authenticate.
The threat actors will then deploy a link to the target user via a spear-phishing email. The link will immediately access the target’s browser and log in to the attacker’s remote device without the awareness of their prey.
Moreover, the links are highly customisable and do not appear to be a compromised VNC login URL since the victims will only see a generic login screen. Once users access and log into their accounts, the threat actors can utilise various tools to exfiltrate security tokens or credentials.
The sample phishing strategy has not been utilised in a real-scenario attack. However, researchers claimed that it could finally be used by malicious threat actors soon. Experts suggest never clicking on URLs from unwanted senders.
