A new attack technique enables threat actors to circumvent Fast IDentity Online (FIDO) key protections through user deception. Known as PoisonSeed, this group is sending phishing emails that lead to fraudulent login pages mimicking legitimate enterprise portals. By exploiting cross-device sign-in features associated with FIDO keys, attackers can relay stolen credentials to real login pages and prompt legitimate QR code generation for authentication. Users scanning these QR codes inadvertently grant unauthorized access to their accounts, compromising their digital assets.
The attacker does this by taking advantage of cross-device sign-in features available with FIDO keys. However, the bad actors in this case are using this feature in adversary-in-the-middle (AitM) attacks.
The phishing site then instructs the legitimate login page to use the hybrid transport method for authentication, which causes the page to serve a QR code that's subsequently sent back to the phishing site.
Should the user scan the QR code with the authenticator app on their mobile device, it allows the attackers to gain unauthorized access to the victim's account.
In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in.
Collection
[
|
...
]