New Phishing Method Uses VNC to Bypass MFA Measures and Gives Cybercriminals Needed Access



Phishing Bypassing MFA HacksDespite cloud vendors like Google detecting reverse proxies or man-in-the-middle (MiTM) attacks and halting logons to thwart malicious actions, a new method easily gains access.

A security researcher who goes by the handle mr.dox documents a new devious method to capture credentials and – more importantly – captures a user session bypassing MFA! The issue for most cybercriminals is that MFA stops attacks at logon. Whether it’s simply not having the second authentication factor to go with a compromised credential, or services like LinkedIn or Google who specifically look for any kind of unusual logon activity that appears to be a proxy-type connection (we’ve covered these before with Microsoft 365, where the credentials are passed to Microsoft as the user types them into a spoofed logon page and, if MFA is enabled, prompts the user in the same manner, passing any provided MFA data through to Microsoft to allow malicious access).

But this new attack method devised by mr.dox uses NoVNC remote access software and a browser session running in kiosk mode to gain access. Here’s how it works:

  • The victim is sent a phishing email with a malicious link to review some seemingly important document.
  • The link starts a NoVNC session within the browser and connects the victim to the logon page of the cloud-based service of choice – without the user realizing it
  • The user logs on as normal and – if MFA is configured – requires the user to provide the additional authentication factors

So, in essence, the attack technique has the victim perform an actual logon in a remote cybercriminal-controlled session. Once logged on, the user would no longer be needed and the session is established post-authentication for the cybercriminal to use as they see fit.

The ingenuity and deviousness of these kinds of new attack methods are exactly the reason why organizations must have their employees enrolled in continual Security Awareness Training that will teach them to spot the attack well before they click the link that installs the malware or – in the case above – presents a logon to a familiar cloud application.


Request A Demo: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

Request a Demo!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/kmsat-security-awareness-training-demo

Topics: Phishing



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews