People need to be able to use their instincts in order to spot new phishing techniques, according to Ashley Graves, a Cloud Security Researcher at AT&T Alien Labs. On the CyberWire’s Research Saturday podcast, Graves described a phishing technique that abuses webhooks in Slack to fool users into granting an attacker access to their Slack data.
A webhook is a feature that allows third-party apps to send messages to a specific Slack channel via a unique URL. Anyone can send a message to the Slack channel if they know this URL, so it’s important that the URL be kept secret. If an attacker discovers a leaked webhook URL, they can craft a phishing message and send it directly into a Slack workspace to trick a user into installing a malicious app. This app can then exfiltrate data from the targeted workspace.
Graves emphasized that this attack doesn’t have any visible warning signs, since the communication comes directly from Slack through a legitimate service.
“The only indication that exists would be the person's gut feeling that it doesn't seem right, that this app should not be requesting this level of data,” she said.
Graves said part of the solution is improved awareness around what attackers can do with certain information.
“So, I think some people legitimately don't understand how much access an attacker can gain when credentials are leaked, and even more so when a webhook secret is leaked,” Graves explained. “On the other side of it is understanding what you're giving third parties access to. So, knowing to read those OAuth scopes, understanding how the application that you're using might use that access. Like, it wouldn't make sense – to me, at least – for a webhook to need access to my documents. So, that's something that they have to look over and have some sort of understanding around whether it's some self-learning, whether it's included in security awareness training or something like that.”
Graves noted that anyone can be fooled by social engineering, so companies need to ensure that users know when they should be cautious and ask for assistance before taking an action.
“But again, we've seen in similar attacks in the past that users can be easily tricked and that it's not stupidity,” she said. “It's not even ignorance. It's just that this is very new technology to a lot of people, and the prompts are not always clear, and there is a lot of small text about how they work. So I think that companies need to, I suppose, make as much effort as possible to help people understand the impact of their actions.”
Attackers will never stop coming up with new ways to dupe people into granting them access. New-school security awareness training can give your employees a healthy sense of suspicion to enable them to stop social engineering attacks.
The CyberWire has the story: https://thecyberwire.com/podcasts/research-saturday/140/transcript