- A Phishing campaign saw trying to work with the Fido keys
- The “firm between cross -devices” triggers a QR code
- Crooks can transmit the QR code to avoid MFA and log in
Computer pirates have found a way to steal login credentials even for protected accounts with physical identity keys (FIDO). It revolves around a support created in these multifactor authentication solutions (MFA), and only works in certain scenarios.
FIDO keys are small physical or software authenticators, which use cryptographic technology to safely record users on websites and applications. They serve as a multifactor authenticator, preventing cybercriminals who have already obtained the login credentials access the specific accounts.
To use the authenticator, most of the time users must physically interact with the device. However, in some scenarios, there is a replacement mechanism: scan a QR code. The criminals have begun to use this setback in the so -called adversary attacks in the middle (AITM).
Phishing for QR codes
Observed by expelled security researchers, the attacks begin with the usual phishing email.
It takes the victims to a destination page that mimics the appearance of the company’s normal authentication process, including an OKTA logo and the login fields for username and password.
Normally, after entering the login credentials, the user would need to physically interact with the FIDO key. In this case, however, the user is presented with a QR code instead.
This is because in the background, the attackers used the login credentials and requested “login between devices”, which triggered the recoil of the QR code. If the victim scan the QR code, the login portal and the authenticator MFA communicate, and the attackers start successfully.
The best way to defend against this attack is to enable Bluetooth proximity checks in Fido, so that QR codes only work on the phone scanning them is physically close to the user’s computer.
Alternatively, companies must educate their employees on how to detect suspicious login pages and unexpected QR codes, since this malicious destination page could easily be seen looking at the URL and domain.
Finally, IT equipment must audit authentication records for session based on QR strangers, or new IRD records, which can serve as a compromise indicator.
Through The hacker news
