‍

Is Slack a trusted platform for communication?

The short answer is yes. The longer answer is that you should always be skeptical of messages, and especially requests, that you get on any communication platform - Slack, Teams, email, LinkedIn, social media, etc.

What is phishing?

Phishing is a form of social engineering attack that attempts to use human psychology to trick victims into taking some action. The most common phishing attack is via email where attackers try to trick users into clicking a link and providing sensitive information like usernames and passwords. This is crazy common. It is the most common successful type of cyberattack. The tools to scale these attacks and lists of emails are cheap on the dark web, meaning attackers do not need to be technically savvy to launch large scale phishing attacks.

While email is the most common attack vector for phishing attacks, it is not the only vector. Anywhere that users can receive messages are potential attack vectors. Slack, as a communication platform, is a potential vector for phishing attacks.

How do attackers launch Slack phishing attacks?

There are a couple avenues for phishing attacks in Slack. Last year, a lot of attention was given to Slack phishing attacks that leveraged Slack webhooks. While these do represent a real threat to Slack users, they are uncommon and often spotted since they do not come directly from users but from apps acting like users and leveraging webhooks.

A more stealthy, albeit more complex, form of Slack phishing attack is an attack launched via a compromised Slack account. User accounts are compromised all the time. As a high percentage of users reuse passwords, attackers can use those breached passwords to gain access to other accounts, including Slack accounts.

Here’s a simple example of a Slack phishing workflow:

• A member of the HR team at a large company uses the same password for Slack and their personal LinkedIn account.
• LinkedIn experiences a breach exposing passwords (this has happened to LinkedIn).
• Attackers buy these passwords on the dark web.
• Attackers use passwords to attempt credential stuffing accounts (attackers brute force attempts at logging in with these stolen credentials).
• Attackers gain access to HR team member’s Slack account using the same password that the employee used on LinkedIn.
• Using the compromised Slack account, attackers send direct messages to key employees asking them to verify information for some new or existing employee benefit.
• Employees click links in Slack, trusting that it is a Slack message from a member of the HR team, and enter their username and passwords into a fake website.
• Attackers use these usernames and passwords to login to HR systems and other financial systems with the same credentials. From here, it could turn into a ransomware attack or some other type of attack. In any case, the attackers profit at the loss of the company.

How to prevent Slack phishing attacks?

For this post, we are going to assume the Slack phishing attack is an attack that leverages a real, but compromised, Slack account and not a Slack webhook. The messages that are being sent to users in Slack look real. They are from a real account. They are Slack messages.

The same rules apply to Slack messages asking for sensitive information as email messages (the most common form of phishing attack).

1. Trust you gut. If something smells phishy, even in Slack, do not trust it.
2. Check the URL. Reading URLs is an essential skill to defend against all forms of phishing attack, including Slack phishing.
3. If in doubt, reach out to the sender, a manager, or the security team on a different channel (in this case, not Slack).