Slack Phishing



iStock-489433406People need to be able to use their instincts in order to spot new phishing techniques, according to Ashley Graves, a Cloud Security Researcher at AT&T Alien Labs. On the CyberWire’s Research Saturday podcast, Graves described a phishing technique that abuses webhooks in Slack to fool users into granting an attacker access to their Slack data.

A webhook is a feature that allows third-party apps to send messages to a specific Slack channel via a unique URL. Anyone can send a message to the Slack channel if they know this URL, so it’s important that the URL be kept secret. If an attacker discovers a leaked webhook URL, they can craft a phishing message and send it directly into a Slack workspace to trick a user into installing a malicious app. This app can then exfiltrate data from the targeted workspace.

Graves emphasized that this attack doesn’t have any visible warning signs, since the communication comes directly from Slack through a legitimate service.

“The only indication that exists would be the person's gut feeling that it doesn't seem right, that this app should not be requesting this level of data,” she said.

Graves said part of the solution is improved awareness around what attackers can do with certain information.

“So, I think some people legitimately don't understand how much access an attacker can gain when credentials are leaked, and even more so when a webhook secret is leaked,” Graves explained. “On the other side of it is understanding what you're giving third parties access to. So, knowing to read those OAuth scopes, understanding how the application that you're using might use that access. Like, it wouldn't make sense – to me, at least – for a webhook to need access to my documents. So, that's something that they have to look over and have some sort of understanding around whether it's some self-learning, whether it's included in security awareness training or something like that.”

Graves noted that anyone can be fooled by social engineering, so companies need to ensure that users know when they should be cautious and ask for assistance before taking an action.

“But again, we've seen in similar attacks in the past that users can be easily tricked and that it's not stupidity,” she said. “It's not even ignorance. It's just that this is very new technology to a lot of people, and the prompts are not always clear, and there is a lot of small text about how they work. So I think that companies need to, I suppose, make as much effort as possible to help people understand the impact of their actions.”

Attackers will never stop coming up with new ways to dupe people into granting them access. New-school security awareness training can give your employees a healthy sense of suspicion to enable them to stop social engineering attacks.

The CyberWire has the story: https://thecyberwire.com/podcasts/research-saturday/140/transcript


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer

Subscribe To Our Blog


Ransomware Has Gone Nuclear Webinar




Get the latest about social engineering

Subscribe to CyberheistNews