It’s like you can’t even send someone a Wikipedia entry for “lemmatization” anymore…
When Keegan Keplinger passed along a meaning of the machine-learning term to a colleague, the cybersecurity pro sent more than expected: an extra link, a surprise that he sees as one more plaything for hackers.
“It’s just another way to get more traffic driving to your malware,” Keplinger told IT Brew.
The cybersecurity pro discovered that a second paragraph that starts with a top-level domain word like “in,” “at,” or “us” can get an automatic hyperlink when pasted onto the popular chat platform Slack—a potential lure for a dedicated hacker, according to Keplinger, senior threat researcher at the cyberservice eSentire, who wrote about the findings in October.
The researcher hasn’t seen any “Wiki-Slack” attacks yet, but clever browser-driven attacks are on the rise, pushing security-awareness and anti-phishing training to move beyond the inbox and into other everyday online platforms.
“The security community has done a great job of blocking malicious email attachments. They’re not a non-existent threat. But they’ve reduced quite a bit. And now the majority of threats we’re seeing are actually browser-based,” Keplinger told IT Brew.
Social engineering has taken on more of a web look lately. At least, according to a 2023 Q1 report from the cybersecurity company Netskope, which noted social engineering as a “dominant” malware technique, with “attackers abusing search engines, email, collaboration apps, and chat apps to trick their victims into downloading Trojans.”
Over one-half (55%) of this year’s first-quarter HTTP/HTTPS malware downloads came from popular cloud apps, Netskope found, up from 35% for the same period one year earlier.
Keplinger and his team have seen a decrease in email-based attacks and an increase of browser-based attacks, including SEO-poisoning techniques, fake updates, and an array of malvertising.
“Watering-hole” web-based attacks have a way of laying a trap and waiting for targets to just appear.
“When you send a social engineering email, you’re typically sending it to one person, more or less, whereas when you start going down the route of browser-based social engineering, you can start covering a lot of ground,” said Rich Sowalsky, managing director of IT risk and cybersecurity advisory at Centri Business Consulting.
Here’s how a Slack hack could go. According to the eSentire discovery, a threat actor could theoretically register a malicious site and then initiate a hyperlink using the text of a Wikipedia entry. The start of the domain could be the last-word of paragraph one, as long as that first paragraph concludes with a linked reference. The second half of the domain (“in,” “us,” etc.) could be the first word of paragraph two.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
In the case of lemmatization, someone with a site called “form.in” could serve up bad code.
eSentire
In an email response to IT Brew, a spokesperson for Slack said that its bug bounty program is critical, but at this time the company has no evidence of a vulnerability inherent to the platform.
“Because the same exploit could be achieved by sending malicious links directly to the victim, using Slack does not pose significant incremental risk in carrying out this attack. We have made note of this report’s finding and closed it as informative given the circumstances of this potential exploit,” wrote Larkin Ryder, senior director of product security, in a statement shared with IT Brew by PR rep Courtney Baldasare.
A Wikimedia Foundation spokesperson noted, through email, that the tactic is not limited to their site, citing eSentire’s own findings that the same kind of hack works on the blogging site Medium.
“It could also potentially be accomplished on any other website that a perpetrator has access to. The issue lies in how URL previews are generated on Slack,” according to Andy Cooper, director of product security at the Wikimedia Foundation, via senior communications manager Lauren Dickinson.
Threat actors are moving away from email, said Keplinger, because email is highly scrutinized and many employees know the security-awareness basics of hovering over the email link and comparing the sender’s name with the sender email.
“The spotlight’s kind of been on email. And we have to start shifting that spotlight and adapt [to] browser-based attacks,” said Keplinger.
In other words, browser-based social engineering must be combined with email-based social engineering. is this a lemmatization? I don’t know, send me the Wiki page.
Correction 11/15/23: This story has been updated to reflect that Larkin Ryder provided the response from Slack, and that Andy Cooper provided the statement from Wikimedia.