Chishing - attack on business chats!

Nowadays, communication within companies increasingly takes place via business chats. External partners are also being added more and more to what are actually internal business chats, increasing the attack surface. Now we have found out that with a lot of chat tools it is possible to edit a profile in such a way that a spoofing attack is possible. For this purpose, we have published an article that explains the problem and shows which attacks are possible on which tools. The attack is called chishing, a portmanteau word comprising the words chat and fishing, which is based on the classic phishing.

What is spoofing and chishing?

We talk about spoofing when an attacker, preferably a hacker, pretends to be someone else and can thus access confidential information. Spoofing is often used to make financial gain. Thus, a spoofer disguises his communication in such a way that he appears to be a person or an organization known to the victim and thus gains trust. This communication can be, for example, e-mail traffic, telephone calls or, as in our case, a business chat. In the case of spoofing, one also often hears the term DNS spoofing. There is a suitable blog post from us that explains this attack. Chishing is a word creation, which was created during the creation of the article and contains the words chatand phishing. You can find the article here.

Which business chats are affected?

In our article on spoofing in business chats, we looked at six chat tools. Here, well-known tools such as Microsoft Teams, Google Chat and Slack are represented, but we also examined lesser-known alternatives such as Element.io, Mattermost and WebEx Teams. For each of these tools, we tried to change our own profile to look like someone else's profile. This included changing the profile picture and customizing the name. We then created exemplary chats to check whether the interlocutor could recognize who was behind the profile. Here we considered two threat models: an internal attacker and an external attacker. Internal attackers are, for example, employees who want to cause damage within their own company. External attackers are people who have been invited as guests to a company's business chat but do not officially belong to the organization. Our result is as follows: Chishing was not possible for two of the six tools. This was the case with MS Teams and with Element.io. In MS Teams, editing of the profile is managed by the IT admin and thus not everyone has the ability to change their profile at will. In Element.io, there is a unique tag behind each user that can be used to identify them. The other four business chats allowed the profiles to be changed without any problems, thus enabling chishing. In Google Chat, Slack, Mattermost and WebEx Teams, it was possible to change one's profile picture and name in such a way that it was not noticeable within a chat whether this was the real person or not. It does not matter whether it is an internal or external attacker. This opens the door for easily executed social engineering attacks by internal and external attackers, as the communication speed in chats and the trust level are significantly higher.

Here is an example of chishing in Mattermost. There are a total of three different users in this chat, all of whom have the same profile. With this article we want to draw attention to the growing problem of chishing. There are currently hardly any countermeasures, since many of the tools would require an essential architectural change or a change in the distribution of trust.