- A phishing campaign spotted trying to work around FIDO keys
- The “cross-device sign in” feature triggers a QR code
- Crooks can relay the QR code to bypass MFA and log in
Hackers have found a way to steal login credentials even for accounts protected with Fast IDentity Online (FIDO) physical keys. It revolves around a fallback created in these multi-factor authentication (MFA) solutions, and only works in certain scenarios.
FIDO keys are small physical, or software authenticators, that use cryptographic technology to securely log users into websites and apps. They serve as a multi-factor authenticator, preventing cybercriminals who have already obtained login credentials from accessing the targeted accounts.
To use the authenticator, most of the time users need to physically interact with the device. In some scenarios, however, there is a replacement mechanism – scanning a QR code. Criminals have started using this fallback in so-called adversary-in-the-middle (AitM) attacks.
Phishing for QR codes
Observed by security researchers Expel, the attacks start with the usual phishing email.
It leads victims to a landing page that mimics the look and feel of the company’s normal authentication process, including an Okta logo and sign-in fields for username and password.
Normally, after entering the login credentials, the user would need to physically interact with the FIDO key. In this case, however, the user is presented with a QR code instead.
This is because in the background, the attackers used the login credentials, and requested “cross-device sign-in”, which triggered the QR code fallback. If the victim scans the QR code, the login portal and the MFA authenticator communicate, and the attackers successfully log in.
The best way to defend against this attack is to enable Bluetooth proximity checks on FIDO, so that QR codes only work in the phone scanning them is physically near the user’s computer.
Alternatively, companies should educate their employees on how to spot suspicious login pages and unexpected QR codes, since this malicious landing page could easily be spotted by looking at the URL and the domain.
Finally, IT teams should audit authentication logs for strange QR-based logins, or new FIDO registrations, which can serve as an indicator of compromise.
Via The Hacker News
You might also like
- This Microsoft 365 phishing campaign can bypass MFA – here’s what we know
- Take a look at our guide to the best authenticator app
- We’ve rounded up the best password managers
This articles is written by : Nermeen Nabil Khear Abdelmalak
All rights reserved to : USAGOLDMIES . www.usagoldmines.com
You can Enjoy surfing our website categories and read more content in many fields you may like .
Why USAGoldMines ?
USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.