Operators of the phishing campaign PoisonSeed have found a method to bypass FIDO (in this case — FIDO2 with WebAuthn) by exploiting the authentication mechanism between devices implemented in WebAuthn. The attackers deceive victims into approving login requests that originate from fake corporate portals.
Recall that the PoisonSeed campaign is based on phishing, with the ultimate goal of financial fraud. In the past, attackers hacked corporate accounts for email marketing and sent users emails containing pre-made seed phrases for cryptocurrency wallets.
In new attacks observed by experts from the company Expel, attackers do not exploit vulnerabilities in FIDO mechanisms; instead, they abuse a legitimate cross-device authentication feature.
This WebAuthn feature allows a user to authenticate on one device using a security key or authenticator app on another. Instead of physically connecting the key (for example, via USB), the authentication request is transmitted via Bluetooth or through a QR code.
The new PoisonSeed attacks begin by redirecting the victim to a phishing site that mimics a corporate portal for logging into Okta or Microsoft 365. After the victim enters their credentials, the phishing infrastructure uses this information in real-time to log into the actual portal.
In a typical situation, the victim would need to verify the login using their FIDO key. However, in this scheme, the phishing server initiates the login through a mechanism for logging in from another device. As a result, the real portal generates a QR code, which is then passed to the phishing page and displayed to the victim.
When a user scans this QR code with their smartphone or authenticator app, essentially, they are approving a login initiated by the attackers. This allows bypassing FIDO protection by switching to cross-device authentication, which does not require physical key connection and can be approved remotely.
Researchers emphasize that the attack does not exploit any vulnerabilities in FIDO. Instead, the attackers misuse a standard feature that allows them to downgrade the level of protection.
To protect against such attacks, experts advise:
- limit geographical regions from which system access is allowed and implement a registration procedure for employees on business trips;
- regularly review the registration of new FIDO keys from unusual geolocations or from less-known manufacturers;
- whenever possible, require employees to use Bluetooth for inter-device authentication, which reduces the risk of remote attacks.
In their report, analysts at Expel describe another incident where an attacker registered their own FIDO key after compromising the victim’s account (presumably, through phishing). In this case, it wasn’t even necessary to spoof a QR code or interact with the victim — the login was completed entirely on the attacker’s side.
This case highlights that even phishing-resistant authentication methods can be bypassed if the user can be convinced to complete the login procedure without physical interaction with the key.
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →