PoisonSeed: The Sophisticated Phishing Attack Downgrading FIDO2 MFA Security
For years, cybersecurity professionals have championed FIDO2 and WebAuthn as the gold standard for multi-factor authentication (MFA). Based on public-key cryptography and often utilizing hardware security keys or biometrics, FIDO2 was designed to be fundamentally resistant to traditional phishing attacks. However, a sophisticated new phishing campaign, dubbed “PoisonSeed,” demonstrates that even the strongest defenses can be undermined through clever social engineering.
This attack doesn’t break the FIDO2 protocol itself. Instead, it exploits the human element by tricking users into abandoning their secure authentication method in favor of a weaker, more vulnerable one.
Understanding the FIDO2 Advantage
Before diving into the attack, it’s crucial to understand why FIDO2 is so secure. Unlike one-time passwords (OTPs) sent via SMS or generated by an app, FIDO2 authentication binds a user’s login to a specific website. When you try to log in, your browser and security key (like a YubiKey) or biometric scanner perform a cryptographic challenge.
This process ensures two things:
- You are a legitimate user because you possess the physical key or required biometric data.
- You are on the legitimate website, as your key will not authenticate to a fraudulent domain.
This origin-binding makes FIDO2 inherently resistant to traditional phishing, where attackers use fake websites to steal credentials.
How the PoisonSeed Attack Downgrades Your Security
The PoisonSeed campaign is a classic example of an adversary-in-the-middle (AiTM) attack combined with a clever downgrade strategy. The attackers aren’t trying to steal your FIDO2 key; they’re trying to convince you not to use it.
Here’s a step-by-step breakdown of how the attack unfolds:
The Bait: The attack begins with a meticulously crafted phishing email. These emails are designed to create a sense of urgency, often warning of a security alert, a required policy update, or a file-sharing notification that prompts the user to log into their corporate account.
The Fake Portal: The link in the email directs the victim to a pixel-perfect replica of their organization’s real login page. The attacker’s server sits between the user and the real service, proxying the connection and capturing everything the user types.
The Deliberate FIDO2 Failure: The user enters their username and password, which the attacker captures. The fake site then attempts to initiate the FIDO2 authentication prompt. However, because the domain of the fake site does not match the domain registered with the user’s security key, the authentication will fail. The user’s browser might show an error, or the prompt might simply not work as expected.
The Social Engineering Pivot: This is the most critical stage of the attack. Instead of a technical failure, the user is presented with a professionally designed, fake error message on the phishing site. This message might say something like, “Authentication with your security key has failed. Please try an alternative method,” or “FIDO2 is currently unavailable. Please log in with a one-time password from your authenticator app.”
The Downgrade and Compromise: Frustrated or simply wanting to complete the login, the user follows the prompt. They open their authenticator app, generate a TOTP (Time-based One-Time Password), and enter it into the fake portal. The attacker immediately captures the username, password, and the valid TOTP and uses them to log into the real service before the code expires. From there, they can establish persistence, steal data, and move laterally within the network.
Why This Attack is So Effective
The genius of the PoisonSeed attack lies in its exploitation of user psychology. It leverages:
- Trust: The fake login page and error messages look legitimate.
- Frustration: When a high-tech solution like FIDO2 fails, users are more likely to fall back to a familiar, “simpler” method.
- Plausibility: Proposing an alternative MFA method seems like a reasonable troubleshooting step, not a security red flag.
This campaign highlights that the security of a system is not just about its strongest link, but also about the availability of its weakest ones. If a less secure fallback option exists, attackers will focus their efforts on tricking users into choosing it.
How to Protect Yourself and Your Organization
Defending against downgrade attacks like PoisonSeed requires a combination of technical controls and user awareness.
Enforce FIDO2-Only Policies: The most effective technical defense is to disable weaker MFA methods for privileged accounts and critical applications. If FIDO2 is the only option available, the downgrade attack is stopped in its tracks. There is no weaker method to fall back to.
Intensive User Training: Educate users on the nature of downgrade attacks. They must be taught that any website prompting them to switch from a security key to a password or OTP is a massive red flag. Employees should be trained to stop, scrutinize the URL, and report the incident immediately.
Always Verify URLs: Reinforce the classic security advice: before entering any credentials, double-check that the URL in the address bar is correct and does not contain any misspellings or unusual characters.
Conditional Access Policies: Implement access policies that scrutinize login attempts for anomalies. A login from an unrecognized location or a non-compliant device should be blocked or trigger a higher level of scrutiny, even with valid credentials.
Ultimately, PoisonSeed serves as a critical reminder: as our defenses evolve, so do our adversaries. While FIDO2 remains one of the most powerful tools for securing digital identities, it cannot be implemented in a vacuum. It must be supported by strict security policies and a vigilant, well-informed user base.
Source: https://www.bleepingcomputer.com/news/security/threat-actors-downgrade-fido2-mfa-auth-in-poisonseed-phishing-attack/
