Operators of the phishing campaign PoisonSeed have found a method to bypass FIDO (in this case — FIDO2 with WebAuthn) by exploiting the authentication mechanism between devices implemented in WebAuthn. The attackers deceive victims into approving login requests that originate from fake corporate portals.
Recall that the PoisonSeed campaign is based on phishing, with the ultimate goal of financial fraud. In the past, attackers hacked corporate accounts for email marketing and sent users emails containing pre-made seed phrases for cryptocurrency wallets.
In new attacks observed by experts from the company Expel, attackers do not exploit vulnerabilities in FIDO mechanisms; instead, they abuse a legitimate cross-device authentication feature.
This WebAuthn feature allows a user to authenticate on one device using a security key or authenticator app on another. Instead of physically connecting the key (for example, via USB), the authentication request is transmitted via Bluetooth or through a QR code.
The new PoisonSeed attacks begin by redirecting the victim to a phishing site that mimics a corporate portal for logging into Okta or Microsoft 365. After the victim enters their credentials, the phishing infrastructure uses this information in real-time to log into the actual portal.
In a typical situation, the victim would need to verify the login using their FIDO key. However, in this scheme, the phishing server initiates the login through a mechanism for logging in from another device. As a result, the real portal generates a QR code, which is then passed to the phishing page and displayed to the victim.
When a user scans this QR code with their smartphone or authenticator app, essentially, they are approving a login initiated by the attackers. This allows bypassing FIDO protection by switching to cross-device authentication, which does not require physical key connection and can be approved remotely.
Researchers emphasize that the attack does not exploit any vulnerabilities in FIDO. Instead, the attackers misuse a standard feature that allows them to downgrade the level of protection.
To protect against such attacks, experts advise:
- limit geographical regions from which system access is allowed and implement a registration procedure for employees on business trips;
- regularly review the registration of new FIDO keys from unusual geolocations or from less-known manufacturers;
- whenever possible, require employees to use Bluetooth for inter-device authentication, which reduces the risk of remote attacks.
In their report, analysts at Expel describe another incident where an attacker registered their own FIDO key after compromising the victim’s account (presumably, through phishing). In this case, it wasn’t even necessary to spoof a QR code or interact with the victim — the login was completed entirely on the attacker’s side.
This case highlights that even phishing-resistant authentication methods can be bypassed if the user can be convinced to complete the login procedure without physical interaction with the key.
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →