A PoisonSeed phishing marketing campaign is bypassing FIDO2 safety key protections by abusing the cross-device sign-in function in WebAuthn to trick customers into approving login authentication requests from pretend firm portals.
The PoisonSeed risk actors are identified to make use of large-volume phishing assaults for monetary fraud. Up to now, distributing emails containing crypto seed phrases used to empty cryptocurrency wallets.
Within the latest phishing assault noticed by Expel, the PoisonSeed risk actors don’t exploit a flaw in FIDO2’s safety however relatively abuse the professional cross-device authentication function.
Cross-device authentication is a WebAuthn function that enables customers to check in on one gadget utilizing a safety key or authentication app on one other gadget. As a substitute of requiring a bodily connection, akin to plugging in a safety key, the authentication request is transmitted between gadgets through Bluetooth or a QR code scan.
The assault begins by directing customers to a phishing web site that impersonates company login portals, akin to from Okta or Microsoft 365.
When the consumer enters their credentials into the portal, the marketing campaign makes use of an adversary-in-the-middle (AiTM) backend to silently log in with the submitted credentials on the professional login portal in real-time.
The consumer focused within the assault usually would use their FIDO2 safety keys to confirm multi-factor authentication requests. Nonetheless, the phishing backend as an alternative tells the professional login portal to authenticate utilizing cross-device authentication.
This causes the professional portal to generate a QR code, which is transmitted again to the phishing web page and exhibited to the consumer.
When the consumer scans this QR code utilizing their smartphone or authentication app, it approves the login try initiated by the attacker.
Supply: Expel
This methodology successfully bypasses FIDO2 safety key protections by permitting attackers to provoke a login circulate that depends on cross-device authentication as an alternative of the consumer’s bodily FIDO2 key.
Expel warns that this assault doesn’t exploit a flaw within the FIDO2 implementation, however as an alternative abuses a professional function that downgrades the FIDO key authentication course of.
To mitigate the chance, Expel recommends the next defenses:
- Limiting geographic areas from which customers are allowed to log in and establishing a registration course of for people touring.
- Routinely examine for the registration of unknown FIDO keys from unknown areas and unusual safety key manufacturers.
- Organizations can take into account implementing Bluetooth-based authentication as a requirement for cross-device authentication, which considerably reduces the effectiveness of distant phishing assaults.
Expel additionally noticed a separate incident the place a risk actor registered their very own FIDO key after compromising an account through what’s believed to be phishing and resetting the password. Nonetheless, this assault didn’t require any strategies to trick the consumer, like a QR code.
This assault highlights how risk actors are discovering methods to bypass phishing-resistant authentication by tricking customers into finishing login flows that bypass the necessity for bodily interplay with a safety key.
Include rising threats in actual time – earlier than they influence your corporation.
Find out how cloud detection and response (CDR) offers safety groups the sting they want on this sensible, no-nonsense information.
