Wiki-slack attack: how business professionals are redirected to malicious websites

Security experts at eSentire have revealed a new method through which attackers can divert business professionals to malicious websites. Known as the Wiki-Slack attack, this technique takes advantage of modified Wikipedia pages and takes advantage of a formatting error when the page is viewed on Slack.

Attack mode

To carry out the attack, threat actors select a Wikipedia article that may be of interest to the target, then modify it by adding a legitimate footnote at the end of the first paragraph and share the article on Slack. Although the note itself is not harmful, viewing the shared page on Slack causes a formatting error that makes a link not present on Wikipedia visible within the collaboration solution.

How the attack works

Once a business professional copies and pastes that Wikipedia entry into a Slack channel, the malicious link appears. If the grammar around the link is sufficiently well crafted, Slack users are tricked into clicking it, leading them to an attacker-controlled website where browser-based malware is hiding. This attack requires that the reference at the end of the first paragraph of the Wikipedia article be carefully placed and that the first word of the second paragraph be a top-level domain (TLD). Additionally, the two conditions must appear in the first 100 characters of the article.

Prevention and advice

To prevent such attacks, it is advisable to raise awareness among organizations about browser-based attacks that can lead to malware infection. Furthermore, it is recommended to use endpoint monitoring and integrate cyber resilience into business processes. eSentire says it reported the identified issues to Slack.