Cybersecurity experts from eSentire Threat Response Unit have uncovered an attack technique targeting corporate Slack users, aptly termed ‘Wiki-Slack.’
Malicious actors ingeniously select a topic of potential interest on Wikipedia, navigate to the main page of the relevant article, and subtly modify it. The cunning ploy involves embedding a seemingly legitimate footnote link. Under specific circumstances, when this Wikipedia article is copied and pasted into a corporate Slack channel, the messenger generates a link that was not originally in the text.
The Wiki-Slack attack starts when a Wikipedia link is shared in Slack under three conditions:
- The Wikipedia link must contain a reference at the end of the first paragraph.
- The first word of the second paragraph in the Wikipedia article must be a top-level domain (TLD) such as in, at, com, net, us, etc.
- The above two conditions must appear in the first 100 words of the Wikipedia article.
Due to Slack’s text formatting peculiarities, it mistakenly processes the inter-paragraph break, conjuring a hyperlink where one shouldn’t exist. These modifications are entirely within legal bounds, making this strategy exceedingly advantageous for fraudsters.
“Once a business professional copies and pastes that Wikipedia entry in a Slack channel, the malicious link is rendered. If the grammar around the link is crafted well enough, Slack users are enticed to click it, leading them to an attacker-controlled website where browser-based malware lays in wait,” eSentire said.
The team at eSentire observes that adversaries might harness Wikipedia’s traffic statistics to pinpoint the most frequented pages. These spurious links can serve as conduits for phishing schemes or malware dissemination.
According to the researchers, the scale of such incursions can be effortlessly amplified using linguistic models like GPT-3. They ardently advise businesses to exercise vigilance and deploy endpoint monitoring tools to detect and thwart impending threats.
