MetaCert’s Promise to token launches and ICOs and the wider Cryptocurrency Community — we will protect you from phishing campaigns Paul Walsh Follow Jul 24, 2017 · 11 min read

The title says it all, but the slightly longer version is…

But first, is phishing on Slack a big problem? Er, click here to see the magnitude of Google search results.

Phishing attacks inside Slack DMs is a serious problem for the Cryptocurrency world. Companies behind token launches and ICOs (Initial Currency Offerings) are contacting MetaCert because they are literally scared of phishing links being shared in their Slack, almost every day.

We already have a Slack Security app that helps to protect customers like IBM, Blackhawk Network, AppDirect and VSP from potential phishing attacks as well as Pornography and Fake News. But we are making a promise today, to immediately dedicate significant design and engineering resource to extend our service to address the additional needs of the Crypto world.

Token launches and ICOs being attacked by Phishing scams on Slack

According to ETHNews,

… a plethora of blockchain and cryptocurrency open community teams have fallen prey to phishing scams that utilize the messaging service Slack. As the communication software of choice among blockchain developers and founders, Slack might be the weakest link in corporate cybersecurity.

Shortly after the Fourth of July, a number of blockchain teams were targeted by a phishing scam wherein a malicious actor or group sent reminders through the Slackbot imploring users to log in to MyEtherWallet (MEW). Users who clicked on the attached hyperlink were redirected to myether.com.co, a site impersonating MEW. It seems that the false front allowed the scammer(s) to collect wallet details from their victims.

According to Slack PR in response to this article,

“We are aware that open community teams related to cryptocurrency were targeted with deceptive spam messages. Several of the affected teams have since disabled or deleted access to the offending user accounts. Online scams targeting open communities can be pervasive and we encourage team admins and members to be vigilant, and to review and enforce basic security measures.”

At MetaCert, we predicted this type of security threat a few years ago when we first asserted that the future of web browsing would be inside mobile apps that contain a WebView, rather than inside a native mobile browser — that has some built-in security.

We also predicted that all chat services would open up to third-party software developers and quickly become a replacement for email (for some people). All of the above has happened. You can see the evidence of our assertions from our open sourced investor pitch deck that was used to secure our second $1.2M seed round. This is why we decided to focus on “Team Collaboration / Messaging Apps” as a vertical within the app ecosystem.

The Problem in more detail

Matt McGivern, the Community Manager for SingularDTV was the first person to bring the security issues on Slack to my attention. They really care to protect their brand, organization and their community, from the potential security threats inside Slack. Matt and I have exchanged quite a few emails already — helping us better understand the unique requirements for token launches and ICOs.

What is Slack, HipChat, Cisco Spark, et al., doing to address the problem?

In short, not enough. Slack has listed MetaCert in their curated list of “Brilliant Bots”, while HipChat has blogged about our service in the past.

The main problem is that Team Collaboration services and Messaging apps don’t have built-in protection against malicious URLs — not one of them. Not even Cisco Spark which has end to end encryption for large enterprise customers.

The security threat comes from the fact that most people will use chat services like Slack on their mobile device while connected to 3G, or home/public wifi. This is where there is zero protection from malicious URLs. That is, unless they’ve installed the MetaCert Security App.

For two years we’ve been saying that if people are reducing their reliance on email in favor of services such as Slack, it stands to reason cybercriminals will also move their attacks to this new threat vector.

Security is always last to play catchup. So none of these platforms have integrated any security products to protect their customers from malicious links. And even though we have some of the biggest security companies in the world as customers on Slack using our security app, none of them have built any services to help their customers stay protected. #ironic.

Every single company we spoke to, assumed they were protected from malicious links — due to the wide assertions made by the platforms in regards to their commitment to privacy and security. Again, not one message service protects you from malicious links.

Why aren’t the platforms doing more?

For the most part, the response I’ve heard from the Platforms, was that their systems are mostly used by companies for internal communication and therefore, anti-phishing and malware security isn’t a priority for them. This is wrong in my opinion, for two reasons;

Even where companies use Slack or another service for “internal communication”, the people are always connected to the outside world — they are the weak link. People are always the weak link. There’s nothing to stop someone from copying a dangerous link from a social network into Slack by mistake — mistakes happen, regularly. And besides, most IT Professionals are more concerned about insider threats than they are external hacks. Communities using Slack is not a new concept, nor is it unexpected behavior. Take Botkit for example — it’s the world’s most widely used open source chatbot making framework. It has a few thousands members inside their Slack community. And Slack is an investor in Botkit. It was always obvious in my opinion, that communities like this, would use Slack for broadcasting updates and increasing community engagement. The NYT started live blogging on Slack more two years ago.

Even if these messaging services weren’t originally designed with communities in mind, they should probably redesign them to meet customer usage and expectations.

MetaCert Security for Slack — what’s available now

MetaCert already protects customers of all sizes from malicious links on Slack, HipChat, Skype and Facebook Messenger. But I’m going to talk specifically about Slack.

Our security app silently monitors every message sent across public channels, checking links against our threat intelligence system in real time.

As soon as a dangerous link has been detected, an alert is broadcast to the channel in which it was detected, as well as to the administrator who installed our app. The time delay between detection and alert is less than a third of a second (170ms) — so the risk of someone opening the wrong link is significantly reduced.

As our customer, you get your own threat intelligence dashboard where you can find every link and file shared across your Slack account. It will also provide insight to the most active users and channels. And you get a full CRM — which includes all the contact information for your users (including their email address). So if you have an issue with a member of your community, you can get insight to exactly what they shared and in which channel, up to the point of detection. And then act accordingly with evidence — even if they later delete their messages. We call this forensic evidence.

The screen shot below is a real example of a community that I run within the chatbot industry.