Hackers Target FIDO MFA Using Innovative Phishing Method

In a notable advancement in cyber threats, Expel researchers have uncovered a sophisticated phishing technique employed by the cybercrime group PoisonSeed. This method specifically targets the FIDO2 physical security keys, which are renowned for offering robust multifactor authentication. The technique utilizes a cross-device sign-in feature along with QR codes to manipulate unsuspecting users.

Despite the integrity of the FIDO protocol itself remaining intact, the attackers have found a way to exploit this feature. According to a detailed report from Expel, PoisonSeed’s phishing campaign adeptly facilitates unauthorized access by convincing victims to engage with a fake login page masquerading as their organization’s Okta portal. Upon entering their credentials, victims inadvertently trigger a chain of events that generates a QR code intended to link their mobile device to the attacker’s session.

The involvement of QR codes adds a deceptive layer of complexity, seducing victims into thinking they are simply completing their normal sign-in procedures. “The hardware and cryptography remain sound, but the convenience features can be manipulated,” stated Jason Soroko, senior fellow at Sectigo.

The architecture of this attack cleverly circumvents the use of FIDO keys, allowing the attackers to execute a phishing email that redirects users to the fraudulent site. After victims enter their login details, the malicious site sends this information to a legitimate authentication service, which then generates a QR code for cross-device login.

As the process unfolds, victims are led to scan the QR code displayed on the phishing site with their mobile authenticator, inadvertently linking it to the attacker-managed session. This facilitates access to sensitive organizational resources without the physical interaction with the legitimate security key.

From a cybersecurity perspective, this incident highlights critical tactics associated with the MITRE ATT&CK framework, notably tactics such as initial access through phishing and techniques for persistence that allow attackers to maintain their foothold within compromised networks. The scenario also underscores the significant role of social engineering in modern cyber threats.

Expel emphasizes that while the attack was swiftly mitigated, it serves as a stark reminder that advanced adversaries can navigate through even the most fortified defenses by employing clever social engineering. Security teams are encouraged to meticulously monitor authentication logs for any anomalies, such as unexpected cross-device sign-in attempts or unfamiliar FIDO key registrations.

Ultimately, although the integrity of FIDO keys remains strong, organizations must remain vigilant and proactive in their security audits. As cybercriminals refine their tactics, understanding potential vulnerabilities in user workflows becomes essential for maintaining robust protection against sophisticated threats.

This incident underscores not only the complexity of modern cyber threats but also the imperative for business owners to continually fortify their cybersecurity strategies against evolving attack vectors.