Novel phishing method deceives users with ubiquitous IT support tool

Mockup of a hook fishing an email icon out of the ocean
(Image credit: Getty Images)

A cyber security researcher has documented a novel phishing technique that involves cyber criminals harnessing virtual network computing (VNC) technology on a private server to launch a variety of attacks.

Using the open source noVNC client, the phishing technique allows successful attackers to launch malicious code into a victim’s browser, plant a keylogger, and passively observe all user activity.

The researcher, who goes by the name mr.d0x. claims the method of attack bypasses two-factor authentication (2FA), including Google’s 2FA protocol used for the likes of Gmail and Google accounts, and facilitates the stealing of credentials.

The phishing method effectively acts as a VNC client for the attacker to remotely monitor and access a user’s environment, creating a man-in-the-middle (MITM) attack.

The technology is common in modern businesses, with employees being familiar with IT support teams accessing their computers remotely to resolve technical issues.

The initial deception is achieved in a typical phishing format - a strategically crafted email provides a link the user needs to click on. Once clicked, the user is taken to a direct server run by the attacker, rather than a malicious web page.

The attack can be launched against individuals using any browser, theoretically including ones on mobile devices, though the researcher said they had difficulty in executing the attack on smartphones.

There are some shortcomings with the method, the researcher said, including the issue whereby the attacker has to provide control of their machine to the victim in order for the attack to work.

It’s also possible that given the nature of VNC software, there may be some noticeable input lag for the victim, offering an indication that the website is not legitimate.

This is currently a proof of concept style of phishing attack with no known actively exploited cases in the wild, though remote access to businesses is reportedly on the rise in a string of burgeoning dark web operations.

“Browsers are more powerful than ever and the usage of browsers as clients for remote access provides new ways for attackers to steal credentials, bypass 2FA, and more,” said the researcher. “I strongly believe that what I’ve demonstrated in this article is only a small portion of what this technique can be used for.”

noVNC attack breakdown

The attacker first needs to deploy a Linux machine via a cloud service provider; any provider or Linux distro is fine. Firefox is good for this, the researcher said, but any browser with a kiosk mode will also work.


The best defence against ransomware

How ransomware is evolving and how to defend against it


Once the Linux instance is up and running, the attacker then needs to install VNC software such as TightVNC or TigerVNC before running some custom commands to ensure the environment is correctly configured for the attack. The noVNC javascript library and application can then be downloaded from GitHub and installed too.

A web browser needs to be running in the deployment and displaying the authentication page from which the attacker wants to steal credentials, such as Google’s login page. The attacker can use any browser, Firefox is good here, but it must be running in kiosk mode.

This technique is effective in spear phishing campaigns but will encounter issues if sent to multiple targets since they will be sharing the same VNC session.

However, the technique can be modified and automated so different users access different VNC sessions by assigning users to different ports.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.