Logan Bailey

Adventures In Web Development

Blog, About, GitHub, and LinkedIn

Today, I heard about Slack’s help desk domain, get.slack.help. I’m not going to lie, it’s an awesome domain. It’s easy to remember, it’s cool. It’s all you want in a start up domain. But it comes at the cost of end user security.

Phishing attacks are a targeted attacks to gain sensitive information. Imagine a potential victim is a member of “Bank of Acme Trust and Savings” and often visit their website, BankOfAcmeTS.com. A hacker will send the victim an official looking email informing the bank member that there is some issue with their account which requires them to sign in to fix. The email will contain a nice big comforting “Login” button. The unsuspecting victim, will click the login button and enter their name and password and see their banks homepage. The victim will even know they gave their password to Bank0fAcemTS.com. Notice the O in of is now a 0. An aware user might realize, they're logged still logged out and suspect something. But most will probably think it some computer error.

The best way to prevent these kind of attacks is for potential victims to be aware. Verify the domain before you enter your password on any website. Historically, this has been simple, most companies have one TLD that a user uses. Users of amazon.com most likely don't use amazon.fr and vice versa. However, when companies adopt multiple TLDs for the same end user, they expose those users to a greater risks of phishing attacks. Off the top of my head, slack has 3 domains on 2 tlds.

  • get.slack.help
  • slack.com
  • slackhq.com

Hackers now have another attack vector, rather than just attacking the domain name, they can use TLDs. Next time you open an email from some service saying, stay up to date on our server status by checking company-status.info, think twice before you login.

Posted In:
Security