Shutting Down SlackBITS After Impersonation-Based Malware Attack

Article Comments
1

Originally published at: Shutting Down SlackBITS After Impersonation-Based Malware Attack - TidBITS

This is why we can’t have nice things.

In our public SlackBITS group, I received a direct message from a user whose name rhymes with “Bob,” saying he had received a private invitation from Glenn Fleishman. Pleased to be included by an author whose writing he has followed for years, Bob clicked through to the promised Google Workspace… and ended up installing the OSX.Odyssey infostealer, even though he should have known better, being a Slack administrator, IT admin, and the privacy officer for his organization. Here’s what happened.

Slack phishing attack

Bob was prompted to update a certificate via an installer and realized that he had installed malware when the Mac asked for permission to control the Finder and access Notes. He also heard the sound of files being moved around in the Finder. He turned off Wi-Fi and ran Malwarebytes, which identified OSX.Odyssey and quarantined the executable script. Unfortunately, OSX.Odyssey is thought to work nearly immediately, and he later found some invisible files in his home folder containing remote IP addresses, a remote username, and his Mac user password. Because his Mac had an Intune MDM profile installed, he sent a wipe command to the Mac, which executed as soon as he turned Wi-Fi back on. Fortunately, his Time Machine backup was only 24 hours old, and the drive hadn’t even been attached when the malware was active, so he could restore with confidence.

To play it safe and as penance for being careless, Bob has spent hours since changing all active passwords from his Passwords and 1Passwords accounts. That includes hundreds of logins, many SSH and API keys, and even credit card numbers. He replaced his debit card and locked his credit cards.

Investigating the Attack

How was such a tech-savvy user fooled? Impersonation-enabled social engineering. Needless to say, the real Glenn Fleishman did not send that message, but someone using a @glennfleishman handle, with Glenn’s photo in the profile, did. When I searched for Glenn’s name in SlackBITS, I found two users with the same handle who were almost identical. The main difference between Real Glenn’s profile (left) and Evil Glenn’s profile (right) is the email address, which is a little sketchy looking, but not obviously fake.

Glenn and Evil Glenn

Upon close inspection, the message itself reads like it was written by AI. It doesn’t really say anything and uses overly earnest phrases like “genuinely interesting,” but again, it’s coming from a trusted person (Glenn) on a trusted messaging platform (Slack) run by a trusted organization (TidBITS). While Bob has read a lot of Glenn’s articles and books, he doesn’t know Glenn well enough to realize that there weren’t nearly enough puns in the message to be real. It’s easy to say, “Oh, I would never fall for that” (and others on SlackBITS did not), but you can see how the mistake was made.

Here’s where I have to acknowledge some culpability. We started SlackBITS a decade ago when Glenn wrote a book about Slack (see ““Take Control of Slack Basics” Serialized in TidBITS,” 9 March 2016). Although SlackBITS started strong and eventually attracted over 1400 users via public invitation links I published in TidBITS, it never really took off. Messages were generally few and far between, except during Apple events, when a bunch of TidBITS readers would gather to chat.

As a result, I didn’t check in on it regularly and failed to stay up to date on changes to admin options. SlackBITS was always intended to be public, but I didn’t know (or at least remember) that in 2017, Slack phased out unique usernames in favor of display names, which aren’t unique (the user ID remains unique). As a result, it was possible for Evil Glenn to join Slack, copy Glenn’s profile, and change his display name to @glennfleishman. As I untangled what happened, I found settings that would have blocked display name changes. They were enabled before I took this screenshot.

Slack account type permissions

Slack’s admin logging is weak for free teams, but I did find evidence of the attacker joining the #general channel and changing his display name. I didn’t get a notification about that, and since SlackBITS wasn’t particularly active, I didn’t visit regularly enough to notice. Besides, I was at a conference Friday and Saturday, and I drove home all day Sunday, so it would have taken a lot more than this for me to realize something was amiss. And even if I had noticed, would I have seen this as a problem? Probably not.

Evil Glenn joining SlackBITS

Another factor that played into the entire sad story is that Slack isn’t designed for public use. It provides public invitation links and makes it easy for users to invite other users, but at its heart, Slack assumes it will be used internally within an organization. Particularly when used by a free team, it doesn’t have robust controls for tracking invitation usages, approving users, offering permissions levels, and logging actions.

It’s not just SlackBITS. I’ve heard from someone involved with another large public Slack group that its admins are also dealing with similar attacks.

Switching to Discourse Chat

In contrast, Discourse, which we use for TidBITS Talk, is intended for use by large numbers of potentially unvetted users. It has four trust levels with granular control over what users at different levels are allowed to do, assumes that some users could be bad actors, and offers excellent logging that even tracks changes to settings.

Discourse logging

Because SlackBITS was used only for chatting during Apple events by relatively few people (only about 400 of the 1400 were in the #events channel, but many fewer than that actually participated), I’m hoping that the Discourse Chat plugin will be able to support us during Apple’s next live event, presumably the WWDC keynote in early June (see “WWDC 2026 Scheduled for June 8–12,” 23 March 2026).

I’ll start a new channel for that event, but in the meantime, if you’d like to play with the Discourse chat interface, you can join the general ChatBITS channel. It seems functional, though it doesn’t seem to provide the kind of notifications necessary for quick responses.

Shutting Down SlackBITS

Even though I’ve deactivated the Evil Glenn account and some others I felt were sketchy, there’s no way I can effectively evaluate over 1400 accounts. As a result, I’ve decided to shut SlackBITS down for good shortly. The minimal level of usage should mean that no one will be too inconvenienced, and Discourse now provides both traditional asynchronous forum discussions and a real-time chat interface for those who want them. Although Discourse also lets individual users direct message one another, I’ve now restricted those to higher trust levels.

Stay secure out there, folks, because we’re all in this together. Kevin Kelly has a nice essay entitled Your Security Is My Security, where he explains why he cares about the security of your machines:

Because the security of a network is only as good as its weakest link, and we are now running a global machine. That global machine, made up of your devices and yours and yours, is the machine I use. Everything connected to this global machine is on MY machine. Every device connected is linked to all the other devices. Therefore the security of everyone is hinged to the weakest security on the lowliest thing. That might be a connected pencil that could be hacked. If someone can hack a pencil they can use that exploit to hack into a drawing tablet and from there extend into an OS, and from there into the network. The weakness of one small point can ripple across the globe and affect me directly.

 

4 Likes