Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    New Phishing Method Uses VNC to Bypass MFA Measures and Gives Cybercriminals Needed Access

    Phishing Bypassing MFA HacksDespite cloud vendors like Google detecting reverse proxies or man-in-the-middle (MiTM) attacks and halting logons to thwart malicious actions, a new method easily gains access.

    A security researcher who goes by the handle mr.dox documents a new devious method to capture credentials and – more importantly – captures a user session bypassing MFA! The issue for most cybercriminals is that MFA stops attacks at logon. Whether it’s simply not having the second authentication factor to go with a compromised credential, or services like LinkedIn or Google who specifically look for any kind of unusual logon activity that appears to be a proxy-type connection (we’ve covered these before with Microsoft 365, where the credentials are passed to Microsoft as the user types them into a spoofed logon page and, if MFA is enabled, prompts the user in the same manner, passing any provided MFA data through to Microsoft to allow malicious access).

    But this new attack method devised by mr.dox uses NoVNC remote access software and a browser session running in kiosk mode to gain access. Here’s how it works:

    • The victim is sent a phishing email with a malicious link to review some seemingly important document.
    • The link starts a NoVNC session within the browser and connects the victim to the logon page of the cloud-based service of choice – without the user realizing it
    • The user logs on as normal and – if MFA is configured – requires the user to provide the additional authentication factors

    So, in essence, the attack technique has the victim perform an actual logon in a remote cybercriminal-controlled session. Once logged on, the user would no longer be needed and the session is established post-authentication for the cybercriminal to use as they see fit.

    The ingenuity and deviousness of these kinds of new attack methods are exactly the reason why organizations must have their employees enrolled in continual Security Awareness Training that will teach them to spot the attack well before they click the link that installs the malware or – in the case above – presents a logon to a familiar cloud application.

     

    Return To KnowBe4 Security Blog

    Request A Demo: Security Awareness Training

    products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

    Request a Demo!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/kmsat-security-awareness-training-demo

    Topics: Phishing

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews