New PoisonSeed Attack Let Attackers Trick Users into Scanning a QR Code with an MFA Authenticator

A sophisticated new attack technique compromises Fast IDentity Online (FIDO) key authentication by exploiting cross-device sign-in features. 

The PoisonSeed attack group has developed a method to downgrade FIDO key protections through adversary-in-the-middle (AitM) phishing campaigns that trick users into scanning malicious QR codes with their MFA authenticators. 

This development represents a significant escalation in identity-based attacks, which now account for 66.2% of security incidents according to recent threat intelligence reports.

Key Takeaways
1. PoisonSeed tricks users into scanning malicious QR codes to bypass FIDO key protection.
2. Exploits cross-device sign-in by intercepting authentication between users and login portals.
3. Enable Bluetooth requirements and monitor authentication logs for suspicious activity.

How the PoisonSeed Attack Works

Expel reports that the attack begins with a conventional phishing email directing targets to fraudulent login pages that mimic legitimate authentication portals, such as fake Okta interfaces hosted on suspicious domains like okta[.]login-request[.]com. 

When users with FIDO key protection enter their credentials on these phishing sites, attackers automatically relay the stolen username and password to the legitimate login portal while simultaneously requesting cross-device sign-in functionality.

The malicious actors exploit the cross-device sign-in feature by capturing the QR code generated by the legitimate authentication system and displaying it to victims on the fake phishing page. 

This technique effectively bypasses the physical interaction requirement typically associated with FIDO keys, as users unknowingly complete the authentication process by scanning the QR code with their mobile MFA authenticator applications.

Cross-device sign-in functionality was designed to help users authenticate on systems without registered passkeys by utilizing additional enrolled devices, typically mobile phones with MFA authenticator applications. 

Under normal circumstances, this process involves secure communication between the login portal and the MFA authenticator to verify user identity. 

However, PoisonSeed attackers have weaponized this legitimate security feature by positioning themselves as intermediaries in the authentication flow.

The attack leverages reputable infrastructure services like Cloudflare to host phishing domains such as aws-us3-manageprod[.]com, lending false credibility to the malicious sites. 

This infrastructure choice helps the fraudulent login pages appear more trustworthy to potential victims, increasing the likelihood of successful credential harvesting.

Mitigations

Despite these attacks, FIDO keys remain valuable security investments, though organizations must now audit authentication logs more carefully for suspicious activity. 

Security teams should monitor for cross-device sign-in requests from unusual geographic locations, unexpected FIDO key registrations, and multiple keys registered in rapid succession.

A critical defensive measure involves enabling Bluetooth communication requirements between mobile devices and unregistered systems during cross-device sign-in processes, which would reduce AitM attack effectiveness to nearly zero. 

Organizations should also review authentication devices associated with compromised accounts, terminate affected user sessions, and reset passwords when incidents are detected.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now