The Rise of PoisonSeed Hackers

In a startling revelation, cybersecurity experts have unveiled a cunning new attack method employed by the notorious PoisonSeed hackers. These cybercriminals have found a way to undermine Fast IDentity Online (FIDO) key protections by tricking unsuspecting users into mistakenly approving authentication requests from fake corporate login portals.

What Are FIDO Keys?

FIDO keys serve as powerful guardians of online security, using advanced public-private key cryptography to make phishing attempts practically obsolete. However, the PoisonSeed group has found a chink in this armor by exploiting the legitimate cross-device sign-in feature, using it to dupe victims into unwittingly approving dangerous sessions.

The Dark Tactics Unveiled

According to researchers from Expel, this nefarious campaign leverages compromised credentials from customer relationship management (CRM) tools and email services to send spam that may include cryptocurrency seed phrases aimed at emptying victims’ digital wallets.

"By manipulating the cross-device sign-in features of FIDO keys, these attackers execute what we call adversary-in-the-middle (AitM) attacks," explain cybersecurity researchers Ben Nahorney and Brandon Overstreet.

How the Attack Works

This innovative attack exploits vulnerabilities in cross-device sign-ins that don't enforce strict security measures like Bluetooth verification. If a user’s environment requires hardware security keys directly connected to the device, or relies on platform-specific authentication methods like Face ID, the attack fails.

The attack begins with a phishing email that lures victims to a counterfeit sign-in page, cleverly masquerading as a legitimate Okta portal. Upon entering their credentials, the fake site stealthily transmits this information to the real login page.

Next, the phishing site requests the legitimate portal to generate a QR code for authentication, which the compromised site captures and presents to the victim.

By scanning this QR code with their mobile authenticator app, users unwittingly grant attackers unauthorized access to their accounts.

Breaking Down FIDO Defenses

What makes this attack particularly alarming is its ability to circumvent the protections offered by FIDO keys without exploiting any inherent flaws in their design. Instead, it cleverly manipulates a standard feature, exposing a significant security loophole.

Although FIDO2 is designed to combat phishing attempts, the hybrid transport method used for cross-device login can be misappropriated in situations where device proximity checks are weak or absent.

Preventive Measures: Protecting Yourself

To better safeguard user accounts, cybersecurity experts recommend that organizations enhance FIDO2 authentication with strict checks verifying device authenticity. Logins should ideally occur on the same device that holds the passkey to mitigate phishing risks.

Additionally, security teams should remain vigilant for unusual QR code logins or new passkey enrollments, while account recovery protocols should prioritize phishing-resistant methods.

A Call to Action

These findings highlight the urgent necessity for robust, phishing-resistant authentication across all stages of the account lifecycle, including recovery phases. Using a vulnerable authentication method may jeopardize the entire identity security framework.

The ongoing escalation of AitM attacks targeting FIDO keys illustrates the ongoing battle between cybercriminals and defenders in protecting user accounts. Users and organizations alike must stay informed and proactive to safeguard their digital lives.