A sophisticated new phishing campaign, attributed to the PoisonSeed threat group, has been uncovered, demonstrating a novel method to bypass FIDO (Fast IDentity Online) key protections. This attack leverages QR code phishing and abuses the legitimate cross-device sign-in feature, tricking users into unknowingly authenticating malicious sessions.

PoisonSeed's Deceptive Tactics Unveiled

Cybersecurity researchers have detailed how PoisonSeed exploits a legitimate FIDO feature—cross-device sign-in—to downgrade authentication security. Instead of directly compromising FIDO's robust cryptographic protections, the attackers manipulate the user into approving an authentication request for a session they initiated.

How the Attack Unfolds

The PoisonSeed attack chain is meticulously designed to deceive users:

1. Initial Phishing Lure: The attack begins with a phishing email directing victims to a fake login page, often mimicking legitimate enterprise portals like Okta or Microsoft 365. These malicious sites may use reputable infrastructure services like Cloudflare to appear more trustworthy.

2. Credential Relay: When a user enters their credentials on the spoofed site, the attackers' adversary-in-the-middle (AiTM) backend silently relays this information to the genuine login portal in real-time.

3. Cross-Device Sign-In Request: Crucially, the phishing site then instructs the legitimate login portal to initiate a cross-device sign-in. This feature allows users to authenticate on one device using a security key or app on another, often via a QR code.

4. QR Code Interception and Presentation: The legitimate portal generates a QR code for this cross-device authentication. The phishing site intercepts this genuine QR code and displays it to the unsuspecting victim.

5. Unwitting Authentication: When the user scans this QR code with their mobile authenticator app, they inadvertently approve the login attempt initiated by the attacker, granting them unauthorized access to the account.

Key Takeaways

• PoisonSeed bypasses FIDO key protection by tricking users into scanning malicious QR codes.

• The attack exploits the cross-device sign-in feature by intercepting authentication between users and login portals.

• This method does not exploit a flaw in FIDO implementation but abuses a legitimate feature to downgrade the authentication process.

Mitigating the Threat

While FIDO keys remain a strong defense against phishing, organizations must implement additional measures to counter this evolving threat:

• Enforce Proximity Checks: Where possible, mandate Bluetooth-based authentication for cross-device sign-ins. This significantly reduces the effectiveness of remote phishing attacks.

• Monitor Authentication Logs: Regularly audit authentication logs for suspicious activity, including:Cross-device sign-in requests from unusual geographic locations.Unexpected FIDO key registrations.Multiple keys registered in rapid succession.

• User Education: Continuously educate users about the dangers of phishing, especially those involving QR codes and requests for cross-device authentication.

• Account Recovery Security: Ensure that account recovery options also utilize phishing-resistant methods, as a weak recovery process can undermine overall security.

• Device Verification: Pair FIDO2 authentication with checks that verify the device being used, and encourage logins to happen on the same device holding the passkey when feasible.

This attack underscores the ongoing arms race between threat actors and cybersecurity defenders, highlighting the need for continuous vigilance and adaptive security strategies. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• PoisonSeed Hackers Bypass FIDO Keys Using QR Phishing and Cross-Device Sign-In Abuse, The Hacker News.

• New PoisonSeed Attack Let Attackers Trick Users into Scanning a QR Code with an MFA Authenticator, CyberSecurityNews.

• PoisonSeed Attack Tricks Users into Scanning Malicious MFA QR Codes, GBHackers News.

• Threat actors downgrade FIDO2 MFA auth in PoisonSeed phishing attack, BleepingComputer.