Attack campaign targeting FIDO key authentication

Recently, researchers from EXPEL, a security company providing 24/7 monitoring, detection, and response to cybersecurity threats, announced on their website a campaign targeting FIDO key authentication.

FIDO (Fast IDentity Online) key authentication is a hardware-based multi-factor authentication (MFA) tool developed by the FIDO Alliance. It allows users to log into accounts without entering a password, serving as a second authentication factor (2FA) through methods like fingerprint sensors, facial recognition, and PINs stored on devices.

Additionally, another feature that makes FIDO key authentication trustworthy is its phishing resistance. Specifically, when a user registers a FIDO key with a website, a unique public/private key pair is created by FIDO and linked to the registered domain. This ensures user safety because FIDO only responds to the previously registered website, protecting against account loss if users are tricked into accessing fake links.

However, according to a recent report posted on their blog, EXPEL's security researchers have warned about a social engineering attack campaign targeting this authentication method. Exploiting the multi-device login feature supported by FIDO, hackers have successfully bypassed this authentication layer by inserting themselves into the user's authentication session with the legitimate service using AitM (Adversary-in-the-Middle). This technique involves attackers creating an intermediary proxy between the user and the legitimate service to steal login sessions (session hijacking).

Figure 1: Attack chain targeting FIDO keys

The hacker's attack chain is summarized as follows:

• Step 1: The hacker sends a phishing email to the user. This email pretends to be from legitimate companies or services, tricking the user into visiting a fake website.

• Step 2: Once the user visits the fake website, they are asked to enter their login information. The information entered by the user is recorded and then automatically forwarded to the legitimate login page.

• Step 3: The fake website requests the system to use authentication via QR code scanning. After the legitimate login page agrees and responds with a QR code, this QR code is immediately displayed on the phishing page for the user.

• Step 4: As soon as the user scans the QR code and the login session is accepted, the attacker gains access to the user's account by capturing the real login session.

Mitigation & Recommendations

Although FIDO keys are still a very safe way to protect accounts, users need to use them correctly and be aware of sophisticated phishing tactics by hackers in today's cyberspace. Some measures that can be applied to minimize and prevent these threats include:

1. Do not click on unfamiliar links: Avoid clicking on any links attached to emails from unknown sources. Additionally, carefully check the websites you are redirected to, as hackers often use domain spoofing techniques (Typosquatting) in phishing websites to deceive users.

2. Do not share FIDO keys: Never share your FIDO keys. If a user loses their key or loses control of access to the key, they should immediately report it to the support team for assistance.

3. Use security services: Users can utilize advanced security services such as 24/7 monitoring, service log analysis, etc., to detect unusual authentication requests early, thereby effectively preventing and countering attacks.

References

1. PoisonSeed downgrading FIDO key authentications to 'fetch' user accounts | Expel