Security researchers at eSentire are calling attention to a new method that attackers can use to redirect business professionals to malicious websites.
Described as the Wiki-Slack attack, the new technique uses modified Wikipedia pages and relies on a formatting error when the page is rendered in Slack.
To mount the attack, a threat actor would first need to select a Wikipedia article that might be of interest to an intended target, then modify it to add a legitimate footnote at the end of the first paragraph, and then share the article in Slack.
While the footnote itself is not malicious, the way Slack formats the shared page’s preview results in a link that is not visible on Wikipedia being rendered in the collaboration solution.
“Once a business professional copies and pastes that Wikipedia entry in a Slack channel, the malicious link is rendered. If the grammar around the link is crafted well enough, Slack users are enticed to click it, leading them to an attacker-controlled website where browser-based malware lays in wait,” eSentire said in a note documenting the issue.
In addition to the reference at the end of the Wikipedia article’s first paragraph, the Wiki-Slack attack also requires that the first word of the second paragraph is a top-level domain (TLD) and that the two conditions appear in the first 100 words of the article.
“This will cause Slack to mishandle the whitespace between the first and second paragraph, spontaneously generating a new link in Slack,” the researchers said.
The attack is essentially a numbers game, meaning that the attacker needs to modify as many Wikipedia pages as they can and register domains for them, to ensure they can eventually infect a target of interest.
Furthermore, eSentire warns that the attacker could leverage Wikipedia statistics to identify pages that generate high traffic and abuse those to mount the Wiki-Slack attack, the researchers note.
To increase their chances of success, prior to mounting the attack, a threat actor can perform background research on the target, ensuring they use Slack, and can leverage ChatGPT or a similar Large Language Model (LLM) to scale the attack, eSentire points out.
A similar technique can be used with Medium articles as well, but using Wikipedia pages, which are more trusted than the author-controlled Medium blogs, has higher changes of success, the researchers noted.
To prevent such attacks, organizations are advised to raise awareness around browser-based attacks leading to malware infections, employ endpoint monitoring, and build cyber resilience into their processes. eSentire says it has reported the identified issues to Slack.