Novel phishing method deceives users with ubiquitous IT support tool


Connor Jones

22 Feb, 2022

A cyber security researcher has documented a novel phishing technique that involves cyber criminals harnessing virtual network computing (VNC) technology on a private server to launch a variety of attacks.

Using the open source noVNC client, the phishing technique allows successful attackers to launch malicious code into a victim’s browser, plant a keylogger, and passively observe all user activity.

The researcher, who goes by the name mr.d0x. claims the method of attack bypasses two-factor authentication (2FA), including Google’s 2FA protocol used for the likes of Gmail and Google accounts, and facilitates the stealing of credentials. 

The phishing method effectively acts as a VNC client for the attacker to remotely monitor and access a user’s environment, creating a man-in-the-middle (MITM) attack.

The technology is common in modern businesses, with employees being familiar with IT support teams accessing their computers remotely to resolve technical issues. 

The initial deception is achieved in a typical phishing format – a strategically crafted email provides a link the user needs to click on. Once clicked, the user is taken to a direct server run by the attacker, rather than a malicious web page.

The attack can be launched against individuals using any browser, theoretically including ones on mobile devices, though the researcher said they had difficulty in executing the attack on smartphones

There are some shortcomings with the method, the researcher said, including the issue whereby the attacker has to provide control of their machine to the victim in order for the attack to work.

It’s also possible that given the nature of VNC software, there may be some noticeable input lag for the victim, offering an indication that the website is not legitimate.

This is currently a proof of concept style of phishing attack with no known actively exploited cases in the wild, though remote access to businesses is reportedly on the rise in a string of burgeoning dark web operations.

“Browsers are more powerful than ever and the usage of browsers as clients for remote access provides new ways for attackers to steal credentials, bypass 2FA, and more,” said the researcher. “I strongly believe that what I’ve demonstrated in this article is only a small portion of what this technique can be used for.”

noVNC attack breakdown

The attacker first needs to deploy a Linux machine via a cloud service provider; any provider or Linux distro is fine. Firefox is good for this, the researcher said, but any browser with a kiosk mode will also work.Once the Linux instance is up and running, the attacker then needs to install VNC software such as TightVNC or TigerVNC before running some custom commands to ensure the environment is correctly configured for the attack. The noVNC javascript library and application can then be downloaded from GitHub and installed too.

A web browser needs to be running in the deployment and displaying the authentication page from which the attacker wants to steal credentials, such as Google’s login page. The attacker can use any browser, Firefox is good here, but it must be running in kiosk mode. 

This technique is effective in spear phishing campaigns but will encounter issues if sent to multiple targets since they will be sharing the same VNC session. 

However, the technique can be modified and automated so different users access different VNC sessions by assigning users to different ports.