- A phishing campaign identified by trying to work around Fido Keys
- The “Cross-Device Sign in” function triggers a QR code
- Crooks can relay the QR code to bypass the MFA and connect
The pirates found a way to steal connection identification information even for accounts protected by physical identity keys (FIDO). It revolves around a rescue created in these multi-factor authentication solutions (MFA), and only works in certain scenarios.
FIDO keys are small physical or software authenticators that use cryptographic technology to safely record users on websites and applications. They serve as a multi-factory authenticator, preventing cybercriminals which have already obtained connection identification information to access targeted accounts.
To use the authenticator, most of the time, users need to interact physically with the device. In some scenarios, however, there is a replacement mechanism – scan a QR code. The criminals began to use this help in the so -called opponent attacks in the environment (AitM).
Phishing for QR codes
Observed by EXPOLS security researchers, attacks begin with the usual phishing email.
It leads the victims to a destination page that imitates the appearance of the company’s normal authentication process, including an OKTA logo and connection fields for the username and password.
Normally, after entering the connection identification information, the user should physically interact with the FIDO key. In this case, however, the user is presented with a QR code instead.
Indeed, in the background, the attackers used the connection identification information and asked for the “cross connection”, which triggered the help of the QR code. If the victim scans the QR code, the connection portal and the Authentifier MFA communicate and the attackers successfully connect.
The best way to defend yourself against this attack is to allow Bluetooth proximity checks on Fido, so that QR codes only work in the phone that scanches them is physically near the user’s computer.
Alternatively, companies should educate their employees on how to identify suspicious connection pages and unexpected QR codes, because this malicious destination page could easily be identified by looking at the URL and the field.
Finally, IT teams should audit authentication newspapers for strange connections based on QR, or new FIDO records, which can serve as a compromise indicator.
Via The Hacker News
