A PoisonSeed phishing campaign is bypassing FIDO2 security key protections by abusing the cross-device sign-in feature in WebAuthn to trick users into approving login authentication requests from fake company portals.
The PoisonSeed threat actors are known to employ large-volume phishing attacks for financial fraud. In the past, distributing emails containing crypto seed phrases used to drain cryptocurrency wallets.
In the recent phishing attack observed by Expel, the PoisonSeed threat actors do not exploit a flaw in FIDO2's security but rather abuse the legitimate cross-device authentication feature.
Cross-device authentication is a WebAuthn feature that allows users to sign in on one device using a security key or authentication app on another device. Instead of requiring a physical connection, such as plugging in a security key, the authentication request is transmitted between devices via Bluetooth or a QR code scan.
The attack begins by directing users to a phishing site that impersonates corporate login portals, such as from Okta or Microsoft 365.
When the user enters their credentials into the portal, the campaign uses an adversary-in-the-middle (AiTM) backend to silently log in with the submitted credentials on the legitimate login portal in real-time.
The user targeted in the attack normally would use their FIDO2 security keys to verify multi-factor authentication requests. However, the phishing backend instead tells the legitimate login portal to authenticate using cross-device authentication.
This causes the legitimate portal to generate a QR code, which is transmitted back to the phishing page and displayed to the user.
When the user scans this QR code using their smartphone or authentication app, it approves the login attempt initiated by the attacker.
PoisonSeed attack flow to bypass FIDO2 protections
... continue reading