Headline
PoisonSeed Tricking Users Into Bypassing FIDO Keys With QR Codes
PoisonSeed group tricks users into bypassing FIDO Keys by misusing QR code logins, highlighting new social engineering risk to secure MFA.
Security researchers at Expel have detailed a new phishing technique that sidesteps the protection offered by physical FIDO (Fast Identity Online) security keys. While the keys themselves remain uncompromised, attackers have figured out how to trick users into granting access by misusing a legitimate cross-device login feature.
The attackers didn’t need to break the FIDO security key itself. Instead, they relied on social engineering to get around it. They took advantage of the cross-device sign-in feature, which is meant to make FIDO more user-friendly, and used it against the victim.
****QR Code and Phishing Page****
It starts with the user visiting a fake login page and entering their credentials. The attacker uses those details to start a real login on the actual site, which then displays a QR code. The user sees that code and scans it with their MFA app, not realising they’ve just approved the attacker’s login.
The campaign was spotted during a phishing attack against an Expel customer. Victims were lured to a fake Okta login page that mimicked the company’s legitimate portal. Once users entered their credentials, the phishing site passed them to the real login system and requested a cross-device sign-in.
That system then displayed a QR code, which the phishing site captured and showed to the user. When scanned using their mobile MFA app, the user unknowingly approved the attacker’s session.
This approach bypasses the need for physical interaction with the FIDO key, which would normally be required to complete the login. It also shows how attackers continue to find new ways to work around even the most secure authentication systems, not by hacking the tech itself, but by exploiting the people using it.
****PoisonSeed****
According to Expel’s report shared with Hackread.com, the company suspects the group behind the attack is PoisonSeed, a known threat actor linked to phishing campaigns and cryptocurrency theft. Although the goal in this case was likely account access, the same technique could be applied to other types of phishing or data theft.
Expel also referenced a second incident where attackers used phishing to reset a user’s password and then registered their own FIDO key to the account. Unlike the QR code approach, this one didn’t rely on tricking the user further after the initial compromise. It was a direct takeover.
Attack flow (Via Expel)
So what can be done? Expel recommends closely reviewing authentication logs for unusual activity, like logins from unexpected locations or rapid registration of multiple FIDO keys. Limiting geographic sign-in permissions and requiring Bluetooth proximity for cross-device authentication are also effective steps to reduce risk.
J Stephen Kowski, Field CTO at SlashNext, weighed in by pointing out that this isn’t a glitch in the system, it’s a deliberate misuse of a feature. “The technique is clever because it exploits the legitimate cross-device sign-in feature that makes FIDO keys more user-friendly,” he said, adding that attackers are now working around strong authentication rather than trying to break it.