A recent discovery by a managed detection and response (MDR) provider has unveiled a phishing campaign that effectively bypasses FIDO key authentication. This tactic takes advantage of cross-device sign-in features, raising concerns about account security.
Understanding the Phishing Attack
The attack, reported by Expel, utilizes no inherent vulnerabilities in FIDO keys. Instead, it leverages the cross-device sign-in functionality designed for user convenience. This feature allows users to log in on devices that lack a passkey by utilizing a secondary device that does.
The Mechanics of the Attack
The phishing campaign initiated with an email targeting employees of an Expel customer, directing them to a counterfeit login page. Once on this page, users were tricked into entering their username and password. Subsequently, they were presented with a QR code.
Behind the scenes, the phishing site transmitted the stolen credentials to the legitimate login portal of the organization. Along with the credentials, it made a request to utilize the cross-device sign-in feature linked to FIDO keys. The legitimate portal then generated a QR code, which the phishing website captured and sent back to the unsuspecting user.
When the user scanned the QR code using their multi-factor authentication (MFA) authenticator, communication was established between the portal and the MFA device, granting attackers unauthorized access. This method effectively circumvented the protective measures typically provided by FIDO keys. Expel attributed this attack to the PoisonSeed crypto phishing attack group, noting it as a part of a worrying trend where threat actors exploit FIDO keys.
Recent Trends in FIDO Key Exploitation
This incident isn’t isolated; Expel reported additional attempts by threat actors to manipulate FIDO keys. In another case, initiating from a phishing email, an attacker managed to reset a user’s password and subsequently enrolled their own FIDO key in the victim’s account.
Enhancing Security for FIDO Keys
Despite these attacks, FIDO keys remain a valuable tool for securing online accounts. However, the rise in attempts to exploit them underscores the necessity for security teams to be vigilant and proactive. Implementing certain controls can significantly bolster the security of FIDO keys.
Proactive Security Measures
One effective measure involves restricting the geographical locations from which users can log in, along with implementing a registration process for users traveling to different regions. Such practices can help figure out patterns and detect abnormal activities.
In addition, monitoring for the registration of unrecognized keys, alerting on an unusual number of keys registered by a single user, and keeping tabs on rapid registrations can signal potential malicious activities.
Innovative Solutions for Cross-Device Sign-In
Another recommended enhancement for cross-device sign-ins is to require Bluetooth communication. This would necessitate that a mobile device running an MFA authenticator be in proximity to an unregistered device attempting to connect to the login portal. As a result, the user would need to be physically present at the system being accessed when scanning the QR code. Such a feature can drastically minimize the likelihood of success for these types of phishing attacks.
In summary, while FIDO keys represent a robust form of account security, the evolving tactics of attackers require ongoing vigilance and innovative security measures to safeguard sensitive information.
