- A phishing -campaign that was discovered that tried to work around Fido Keys
- The “cross-unit signs” triggers a QR code
- Crooks can forward the QR code to bypass MFA and log in
Hackers have found a way to steal login -credentials, even for accounts protected with quick identity online (FIDO) physical keys. This is a relapse created in these multi-factor approval (MFA) solutions, and only works in certain scenarios.
Fido Keys are small physical or software authenticators that use cryptographic technology to safely log users on sites and apps. They serve as a multifactor authenticator and prevent cyber criminals who have already received login credentials from accessing the targeted accounts.
To use authentication, most of the time users must physically interact with the device. In some scenarios, however, there is a replacement mechanism – scanning a QR code. Criminals have begun to use this relapse in so-called opponent-in-mid (AITM) attack.
Phishing for QR codes
Observed by security scientists exhibit that the attacks start with the usual phishing -e email.
It leads victims to a destination page that mimics the appearance and sense of the company’s normal approval process, including an Octa logo and registration fields for username and password.
Usually, after entering the login -credentials, the user should physically interact with the FIDO key. In this case, however, the user is presented instead of a QR code.
This is because attackers in the background used the login credentials and requested “cross-cutting device login” which triggered QR code falls. If the victim scans the QR code, the login portal and the MFA authentication communicate and the striker logges successfully.
The best way to defend against this attack is to activate Bluetooth -Narrow Control of Fido, so QR codes only work on the phone that scans them physically near the user’s computer.
Alternatively, companies should educate their employees on how to see suspicious login pages and unexpected QR codes, as this malicious destination page could easily be detected by looking at the URL and the domain.
Finally, the team’s revise approval logs for strange QR-based logins or new FIDO registrations that can serve as an indicator of compromise.
Via Hacker the news
