How Modified Wikipedia Pages Can Be Exploited for Slack Redirection Attacks

Cloud Security Attackers Can Use Modified Wikipedia Pages to Mount Redirection Attacks on Slack

In a new report, security researchers at eSentire have uncovered a concerning technique that attackers can use to redirect business professionals to malicious websites. Known as the Wiki-Slack attack, this method involves modifying Wikipedia pages and exploiting a formatting error within the Slack platform to render an invisible link that leads users to attacker-controlled websites.

How the Attack Works

The Wiki-Slack attack begins with the threat actor selecting a Wikipedia article that may be of interest to their intended target. They then modify the article by adding a legitimate footnote at the end of the first paragraph. When the modified article is shared in a Slack channel, the formatting error causes Slack to render a link that is invisible on Wikipedia but visible within the collaboration tool.

Once a user copies and pastes the Wikipedia entry into a Slack channel, the malicious link is rendered. Crafted with convincing grammar, the link entices users to click and unknowingly directs them to an attacker-controlled website containing browser-based malware.

There are specific conditions that must be met for the Wiki-Slack attack to work. Firstly, the modification must include a legitimate footnote at the end of the first paragraph. Additionally, the first word of the second paragraph must be a top-level domain (TLD), and both conditions must appear within the first 100 words of the article. This triggers Slack to mishandle the whitespace between the paragraphs and generate a new link spontaneously.

Exploiting Trust and Leveraging Statistics

The Wiki-Slack attack relies on the trust users place in Wikipedia as a reputable source of information. By manipulating and modifying Wikipedia articles, threat actors can exploit this trust and increase the chances of users falling victim to the attack.

Furthermore, eSentire warns that attackers could potentially leverage Wikipedia statistics to identify highly trafficked pages and use them as targets for the Wiki-Slack attack.

Background Research and Scaling the Attack

To increase the chances of success, threat actors can perform background research on their targets to ensure they use Slack. They can also leverage ChatGPT or similar Large Language Models (LLMs) to scale the attack. This allows them to automate the modification of Wikipedia articles and maximize the number of potential targets.

Protection and Prevention

To protect against Wiki-Slack attacks and similar browser-based attacks, organizations are advised to raise awareness among their employees. Educating users about the risks of clicking on unfamiliar links and the importance of verifying sources can help prevent them from falling victim to these attacks.

In addition to user awareness, organizations should employ endpoint monitoring to detect any unusual or malicious activity on their devices. Building cyber resilience into processes and systems is also crucial, ensuring that even if an attack is successful, the organization can recover and mitigate any potential damage.

In response to this discovery, eSentire has reported the identified issues to Slack, urging the platform to take action and address these vulnerabilities.

Conclusion

The Wiki-Slack attack showcases the continued ingenuity and adaptability of cybercriminals. By exploiting formatting errors and user trust in reputable sources like Wikipedia, attackers have found a new way to target business professionals using collaboration tools like Slack. As the threat landscape evolves, it is crucial that individuals and organizations remain vigilant and proactive in their cybersecurity practices. Staying informed, implementing robust security measures, and educating employees are key steps in preventing and mitigating attacks like the Wiki-Slack technique.