Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:30 AM
Yoram Salinger
Yoram Salinger
Connect Directly
E-Mail vvv

4 Ways At-Work Apps Are Vulnerable to Attack

Collaboration applications make users and IT teams more efficient. But they come with an added cost: security.

They haven't completely replaced phone calls or email, but communication and collaboration apps are becoming increasingly popular. For workers today, who are in and out of the office, working on the go, with multiple team members, it's all about convenience and ease of use. Many rely on Slack, Google Hangouts, Box, SharePoint, and other applications to communicate, share files, and collaborate on projects to get their work done in the most efficient manner possible.

For IT teams, there's an added bonus: Collaboration apps are meant to be easier to manage than local servers. The brand responsible for the app takes care of outages or any other disruption; it ensures that communications are backed up and that the system is secured from data loss. Since the brand specializes in its tool, it will have the resources to ensure that things run smoothly and safely.

That's the promise, at least — but the reality is different. A study we conducted in 2018 with 500 enterprise IT decision-makers, managerial level and above, who are involved in cybersecurity efforts in medium and large enterprises revealed that two-thirds of responding companies have been attacked via collaboration tools in the last 12 months, and three-quarters believe the sophistication of such attacks is increasing. Here are some reasons why such tools may be more of a burden than a boon security-wise:

Phishing is a favorite. Attackers have already had great success using phishing techniques. According to the 2017 Verizon data breach report, as many as 95% of security breaches have their origins in socially engineered phishing attacks. Collaboration-tool phishing attacks are takeoffs on the "classic" email scam; rather than send a malicious URL via email, attackers can instead send it through messaging services. The message could come from an insider threat, a third party, or stolen credentials. Interactions via messaging are typically very quick and immediately trusted, meaning users may be less likely to think twice before clicking.

Email and notifications. When you're out of the office, common corporate courtesy dictates that you let people know that you're not available to meet with them — and for that, there is the out-of-office auto-reply, in which you inform people who sent you messages (via email or collaboration app) that you're away. The problem, of course, is that the auto-reply is sent in response to all messages that an inbox gets — and if that response is received by a thief, you could be tipping him off that it's open season on your house.

You can't see them? Doesn't mean they aren't there. Besides messages with "poison links," hackers have had great success in sending their malware to victims via files and documents emailed directly to victims' mailboxes. With a bit of social engineering, hackers can get their prey to open the document, thus unleashing the malware. Advanced hacking techniques enable bad actors to hide malware in macros or scripts of the poisoned document — places that antivirus and other security systems cannot penetrate. Once the document is opened and uploaded to the collaboration platform, the malware can easily spread to anyone else who accesses that document.

For example, if the malware comes in the form of a keylogger, the malware will attach itself to individual users' systems when they access the shared document. If they access it from inside the organization, the keylogger will be able to collect and send back to the hackers each user's corporate login. If one of those logins belongs to an administrator, it's just a matter of time before the hackers get their hands on anything and everything.

Who said that? With the credentials to a collaboration account in hand — obtained perhaps by tricking a member of the group into giving up their name and password — hackers could perpetrate all sorts of mayhem by posing as an employee. (Typically, all it takes is a message from "tech support" saying they need the information.) Then, using the private messaging component of a collaboration app, a skilled hacker could pump a member of the group for information about a contract, event, or other important data. When coupled with the techniques that hackers use to attack organizations via collaboration platforms, the result is a one-two punch that enables them to do what they want, when they want.

Collaboration tools clearly provide great benefits for organizations — but they also provide hackers with a path to compromising IT systems. It's unlikely that companies will give up on collaboration tools, which have opened a whole new window on productivity for both employees and organizations.

What to do? In any human exchange, caution is always warranted — especially if it's done electronically. Before opening a document or a link, employees must ensure that they are not walking into a hacker-laid trap. Context can be important here; documents and links that seem out of character for a project should raise suspicions, and teams should work out a code that will indicate that a communication they receive is a legitimate one (i.e., a naming convention for files, using Google shortcuts for all links, etc.).

And, of course, organizations should implement defensive systems for situations where hackers do get through, despite the caution employees exercise. Collaboration tools are definitely a blessing for modern business — and the task today is to ensure that they don't turn out to be a curse as well, sentencing companies to an eternity in hacker hell.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Yoram Salinger is the CEO of Perception Point, leading the company's growth, strategy and management. He previously served as the CEO of Redbend and Netgame, as well as the COO of Algorithm Research, where he headed marketing and sales for Europe and the Far East. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/13/2019 | 3:51:03 PM
good article
Interesting read and spot on with hackers posing as "tech support '


User Rank: Ninja
3/8/2019 | 10:11:14 AM
Re: The theme
"IF YOU DON'T NEED IT, DON'T READ IT, DELETE IT" Wise words to live by.

The reason that server side attacks have transitioned to the minority and client side attacks are now the majority is because people's curiousity is peaked. Plus since email needs to remain open for business it will commonly subvert many of the security layers.

User Awareness is a big piece and constant testing will go a long way. Sites like PhishMe and KnowBe offer integrated services to perfrom.  
User Rank: Ninja
3/7/2019 | 12:54:51 PM
The theme
Always seems to be an impersonation attack through email and infected documents.  User education would almost eradicate a huge potion of malware.  BUT people are curious and that killed the cat.  They want to see what an infected something ACTUALLY DOES.  I have seen that crazy desire up close.  Or they just want to see if the Liberty Wine company really does owe then $315.62 as per the attached invoice.  (Google that one).  My rule for email is simple and I encourage all to pass it on: IF YOU DON'T NEED IT, DON'T READ IT, DELETE IT
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...