How Slack Phishing Works to Harvest Personal Data and how to Prevent It
The sad reality of 2019 is that phishing is no longer just an email security problem. For a while now it has been a communication security problem—and statistics indicate that said problem is growing. In spite of concerted efforts of IT specialists and educational campaigners worldwide, internet users continue to fall for email phishing scams with alarming regularity. As it stands, 97% of participants in a recent survey could not tell if an email was fake or not. While most people are at least somewhat aware that email phishing exists, few if any users outside of the very IT specialists that combat cyber-crime know that the latest ploy of cybercriminals is weaponizing Slack to the same effect.
For users outside the loop, Slack is a cloud-based instant messaging service similar to many other similar ones that most users are familiar with – only it is geared towards corporate needs and team collaboration. Slack has been universally praised for its usefulness and functionalities that allows coworkers and managers to quickly effectively organize projects and discussion topics for discussion in separate channels.
Unfortunately, the fact that this is mainly a working environment seems to make people complacent – which has allowed cyber-criminals to con approximately $110 MILLION out of more than 30000 individuals using Slack in 2017 alone. How?
All the crooks really do is use a direct message or a Slackbot reminder to the potential victims, posing as someone else. Scammers can easily claim that they are whoever they wish to impersonate, and if the user is not savvy enough to spot the tell-tale signs that he's actually dealing with a fraudster, there is a good chance that they'd end up giving a lot of personal information out to the crook – often even a way into the victim's finances. One particularly canny crook outfit took advantage of this phishing method and used it to gain access to a site for storing, sending, and receiving digital currency – namely, MyEtherWallet (MEW). The messages that were sent out included a bogus link that gave hackers access to the victim's MEW wallet once it was clicked. From that point on, the crooks able to steal Basic Attention Tokens, or BATs, to their hearts' content.
One could reasonably expect Slack to take action against fraudsters, such as cooperating with anti-hacker outfits, providing all necessary evidence for local authorities investigating cyber-crime and even taking direct action to prevent criminal activity – banning suspicious or obviously transgressive accounts, etc. However, the very services that Slack provides hamstrings their ability to keep cybercrooks at bay for the most part – after all, Slack is a communications platform, first and foremost.
This means that one can't reasonably expect to be completely safe on Slack, just like one can't be absolutely sure that none of the emails they receive in their Gmail account are absolutely safe. People need to understand that, as a first step towards being safe when using Slack. Ideally, employees, or internet users in general, should then proceed to learn how to tell fake messages from real ones so that they can avoid falling prey to phishing scams altogether, and from that point onward remain vigilant for the tricks of fraudsters.