Cybersecurity researchers have disclosed a novel attack technique that allows threat actors to downgrade Fast IDentity Online (FIDO) key protections by deceiving users into approving authentication requests from spoofed company login portals.
FIDO keys are hardware- or software-based authenticators designed to eliminate phishing by binding logins to specific domains using public-private key cryptography. In this case, attackers exploit a legitimate feature—cross-device sign-in—to trick victims into unknowingly authenticating malicious sessions.
The activity, observed by Expel as part of a phishing campaign in the wild, has been attributed to a threat actor named PoisonSeed, which was recently flagged as leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases and drain victims' digital wallets.
"The attacker does this by taking advantage of cross-device sign-in features available with FIDO keys," researchers Ben Nahorney and Brandon Overstreet said. "However, the bad actors in this case are using this feature in adversary-in-the-middle (AitM) attacks."
More Info