Beware FIDO-Downgrade Attacks Bypassing Phishing Defenses

The digital underground has long offered phishing kits to low-level cybercrooks who prefer easy ways to manipulate victims into giving up logon credentials. PhaaS toolkits are available for a one-time fee or by subscription. In the first half of this year, about 60% to 70% of all phishing attacks originated from the toolkits, with many offering one-click attack setup and easy automation, and regular improvements to make them more effective.

Expect those toolkits to soon also offer the ability to sidestep FIDO – for Fast Identity Online – authentication passkeys, warns Yaniv Miron, a researcher at cybersecurity firm Proofpoint.

Devices, apps or websites equipped with the FIDO standard store a public cryptographic key tied to an individual account holder. Users provide the private side of the key, stored on their device or a USB key, unlocking it by providing a PIN code, a biometric identifier or by activating their USB key by pressing a button.

Most phishing attacks rely on a phishlet, “a configuration file or template used by phishing kits to define the impersonation of legitimate websites and interception of user credentials and session tokens,” Miron said. Those adversary-in-the-middle tactics trick a target into visiting a lookalike website and capturing in real time user credentials, including any multifactor authentication code they might supply.

Phishlets typically fail when they encounter FIDO-based authentication, since they lack the public key needed to complete login.

But there’s a way to circumvent the hard wall of public-private key pairs. Namely, attackers can forcibly downgrade the authentication method to a less-secure method, grab credentials and proceed with their account takeover.

Proofpoint hasn’t yet seen any FIDO-defeating phishing kit attacks in the wild, but expects to see them emerge since adding this capability is, technically speaking, very feasible.

As a proof of concept, the Proofpoint researchers developed a plug-in for the Evilginx PhaaS toolkit that can be used against users of the Microsoft Entra ID, a cloud-based identity and access management service. The plug-in claims that the FIDO authentication method is invalid, and directs users to proceed with a less-secure approach. If selected, this enables the attackers to intercept their credentials, including a one-time passcode.

The downgrade attack relies on system administrators having authorized some type of backup authentication method, which they typically do. “This tends to be the case with FIDO implementations, as most admins prefer to maintain a practical option for account recovery,” Miron said.

FIDO-based authentication “is so good the only way to around it is to trick someone into not using it,” said Brian Clark, a cybersecurity professional, in a post to social network Mastodon. To mitigate the downgrade-attack risk, he said administrators can delete all non-FIDO backup methods. He also advised setting conditional policies for accessing especially sensitive applications, which restrict access to FIDO authentication only, or from a managed and locked down device.

PhaaS platforms have already “negated many technical barriers by offering attackers intuitive point-and-click interfaces that simplify the execution of phishing campaigns,” Miron said. Expect kit providers to eventually upgrade their offerings to provide FIDO-downgrade attacks.

Options abound and competition appears to remain fierce amongst top PhaaS toolkits. “The most widely used kit is Tycoon 2FA, accounting for 76% of the attacks,” Barracuda Networks said in a June report. “EvilProxy makes up about 8%, while Mamba 2FA and Sneaky 2FA together represent 6%.”

New kits also continue to debut, including Sniper Dz, Morphing Meerkat, Darcula and SessionShark, as well as more regionally focused options such as newcomer CoGUI, designed specifically to target Japanese organizations, it said.