- A phishing campaign spotted trying to work around FIDO keys
- The “cross-device sign in” feature triggers a QR code
- Crooks can relay the QR code to bypass MFA and log in
Hackers have found a way to steal login credentials even for accounts protected with Fast IDentity Online (FIDO) physical keys. It revolves around a fallback created in these multi-factor authentication (MFA) solutions, and only works in certain scenarios.
FIDO keys are small physical, or software authenticators, that use cryptographic technology to securely log users into websites and apps. They serve as a multi-factor authenticator, preventing cybercriminals who have already obtained login credentials from accessing the targeted accounts.
To use the authenticator, most of the time users need to physically interact with the device. In some scenarios, however, there is a replacement mechanism – scanning a QR code. Criminals have started using this fallback in so-called adversary-in-the-middle (AitM) attacks.
Phishing for QR codes
Observed by security researchers Expel, the attacks start with the usual phishing email.
It leads victims to a landing page that mimics the look and feel of the company’s normal authentication process, including an Okta logo and sign-in fields for username and password.
Normally, after entering the login credentials, the user would need to physically interact with the FIDO key. In this case, however, the user is presented with a QR code instead.
This is because in the background, the attackers used the login credentials, and requested “cross-device sign-in”, which triggered the QR code fallback. If the victim scans the QR code, the login portal and the MFA authenticator communicate, and the attackers successfully log in.
The best way to defend against this attack is to enable Bluetooth proximity checks on FIDO, so that QR codes only work in the phone scanning them is physically near the user’s computer.
Alternatively, companies should educate their employees on how to spot suspicious login pages and unexpected QR codes, since this malicious landing page could easily be spotted by looking at the URL and the domain.
Finally, IT teams should audit authentication logs for strange QR-based logins, or new FIDO registrations, which can serve as an indicator of compromise.
Via The Hacker News
