Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Attackers Can Use Modified Wikipedia Pages to Mount Redirection Attacks on Slack

Researchers document the Wiki-Slack attack, a new technique that uses modified Wikipedia pages to target end users on Slack.

Security researchers at eSentire are calling attention to a new method that attackers can use to redirect business professionals to malicious websites.

Described as the Wiki-Slack attack, the new technique uses modified Wikipedia pages and relies on a formatting error when the page is rendered in Slack.

To mount the attack, a threat actor would first need to select a Wikipedia article that might be of interest to an intended target, then modify it to add a legitimate footnote at the end of the first paragraph, and then share the article in Slack.

While the footnote itself is not malicious, the way Slack formats the shared page’s preview results in a link that is not visible on Wikipedia being rendered in the collaboration solution.

“Once a business professional copies and pastes that Wikipedia entry in a Slack channel, the malicious link is rendered. If the grammar around the link is crafted well enough, Slack users are enticed to click it, leading them to an attacker-controlled website where browser-based malware lays in wait,” eSentire said in a note documenting the issue.

In addition to the reference at the end of the Wikipedia article’s first paragraph, the Wiki-Slack attack also requires that the first word of the second paragraph is a top-level domain (TLD) and that the two conditions appear in the first 100 words of the article.

“This will cause Slack to mishandle the whitespace between the first and second paragraph, spontaneously generating a new link in Slack,” the researchers said.

The attack is essentially a numbers game, meaning that the attacker needs to modify as many Wikipedia pages as they can and register domains for them, to ensure they can eventually infect a target of interest.

Advertisement. Scroll to continue reading.

Furthermore, eSentire warns that the attacker could leverage Wikipedia statistics to identify pages that generate high traffic and abuse those to mount the Wiki-Slack attack, the researchers note.

To increase their chances of success, prior to mounting the attack, a threat actor can perform background research on the target, ensuring they use Slack, and can leverage ChatGPT or a similar Large Language Model (LLM) to scale the attack, eSentire points out.

A similar technique can be used with Medium articles as well, but using Wikipedia pages, which are more trusted than the author-controlled Medium blogs, has higher changes of success, the researchers noted.

To prevent such attacks, organizations are advised to raise awareness around browser-based attacks leading to malware infections, employ endpoint monitoring, and build cyber resilience into their processes. eSentire says it has reported the identified issues to Slack.

Related: US Government Releases Anti-Phishing Guidance

Related: US Executives Targeted in Phishing Attacks Exploiting Indeed Platform Flaw

Related: Google AMP Abused in Phishing Attacks Aimed at Enterprise Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights