Cybersecurity researchers have disclosed a novel attack technique that allows threat actors to bypass Fast IDentity Online (FIDO) key protections by deceiving users into approving authentication requests from spoofed company login portals.
The activity, observed by Expel as part of a phishing campaign in the wild, has been attributed to a threat actor named PoisonSeed, which was recently flagged as leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases and drain victims’ digital wallets.
“The attacker does this by taking advantage of cross-device sign-in features available with FIDO keys,” researchers Ben Nahorney and Brandon Overstreet said. “However, the bad actors in this case are using this feature in adversary-in-the-middle (AitM) attacks.”
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Cross-device sign-in allows users to sign-in on a device that does not have a passkey using a second device that does hold the cryptographic key, such as a mobile phone.
The attack chain documented by Expel commences with a phishing email that lures recipients to log into a fake sign-in page mimicking the enterprise’s Okta portal. Once the victims enter their credentials, the sign-in information is stealthily relayed by the bogus site to the real login page.
The phishing site then instructs the legitimate login page to use the hybrid transport method for authentication, which causes the page to serve a QR code that’s subsequently sent back to the phishing site and presented to the victim.
Should the user scan the QR code with the authenticator app on their mobile device, it allows the attackers to gain unauthorized access to the victim’s account.
“In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in,” Expel said.
“The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.”
What makes the attack noteworthy is that it bypasses protections offered by FIDO keys and enables threat actors to obtain access to users’ accounts. The compromise method does not exploit any flaw in the FIDO implementation. Rather, it abuses a legitimate feature to downgrade the authentication process.
FIDO keys are built to prevent phishing by tying authentication to the domain being accessed—but when QR codes are relayed across devices and interfaces, that trust link breaks. Attackers exploit this blind spot in device-initiated flows, where the user isn’t directly validating the destination domain, effectively downgrading the authentication step without triggering suspicion.
Expel also said it observed a separate incident where a threat actor enrolled their own FIDO key after compromising an account through a phishing email and resetting the user’s password.
If anything, the findings underscore the need for adopting phishing-resistant authentication at all steps in an account lifecycle, including during recovery phases, as using an authentication method that’s susceptible to phishing can undermine the entire identity infrastructure.
“AitM attacks against FIDO keys and attacker-controlled FIDO keys are just the latest in a long line of examples where bad actors and defenders up the ante in the fight to compromise/protect user accounts,” the researchers added.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks