HQ/EMEAFind out how we can help your business
Threat actors use a novel cybercriminal attack method called Wiki-Slack to execute a redirection campaign that targets Slack users.
This technique exploits a formatting error in Slack’s rendering of Wikipedia content that redirects business professionals to malicious websites. These attacks first select a Wikipedia article likely to pique the interest of their intended victim to start their campaign. Next, they modify the article by adding a legitimate footnote to the end of the first paragraph and sharing it in a Slack channel.
While the added footnote itself is not malicious, the way Slack presents the page preview causes a hidden link not found on Wikipedia to materialise in the collaboration platform. As a result, when a business professional copies and pastes the Wikipedia entry into a Slack channel, the malicious link becomes visible.
Slack users commonly click the link in these baits if it has no grammatical errors that could intrigue them. However, these links lead them to an attacker-controlled website, where the threat actors keep their malicious payloads.
The Wiki-Slack campaign should be a TLD to be more effective.
According to investigations, the Wiki-Slack attack requires its campaign that the first word of the second paragraph is a top-level domain (TLD). These two conditions must appear within the first 100 words of the article to make it more efficient.
This technique causes Slack to mishandle the whitespace between the first and second paragraphs, inadvertently generating a new link in Slack.
The attack’s success relies on quantity, with the attacker needing to generate numerous Wikipedia pages and register domains to ensure they eventually compromise a target. Additionally, the attackers could exploit Wikipedia statistics to identify high-traffic pages, using them to launch the Wiki-Slack attack.
Furthermore, threat actors conduct background research on their targets to confirm that their targets use Slack and enhance their chances of success. These miscreants could also employ ChatGPT or a similar Large Language Model (LLM) to scale the attack.
Organisations should improve their awareness of browser-based attacks that could lead to malware infection. Users should implement endpoint monitoring and incorporate cyber resilience into their processes to defend against this campaign.
