Previously we described why we decided to move away from Slack and onto Telegram for managing the Kin community. This post will present some of the steps we took to protect the community while it was hosted on Slack.

We started using Slack for Kin and installed an auto-inviter bot to allow anyone to join without human intervention. We had three main channels on Slack, #announcements, #general, and #technology, and the topic and purpose were set to include rules and useful information. A group of @admins moderated and answered questions in these channels.

Attack Vectors

Regardless of the safety measures we put in place, our Slack channels endured a lot of attacks. These attacks originated from security vulnerabilities inherent to Slack:

Changing the channel topic and purpose

Posting Ethereum and Bitcoin addresses, requesting funds or “donations”

Posting phishing links (e.g. a link with text kin.kik.com that links to a different, fake site)

The most dangerous attack was when users pretended to be moderators. They did this by:

Registering with similar names, usernames and profile images as our Slack @admins or members of our team that appear on our website and whitepaper. Changing existing users into the above Pretending to belong to MyEtherWallet or Kin team

To mitigate these attacks, we implemented many preventative measures:

Moderation teams in two geographical locations (Waterloo and Tel Aviv). This enabled us to monitor channels around the clock as much as humanly possible.

We prevented members from adding bots to all channels.

We locked the #announcements channel to allow only @admins to post (can only be done to one channel at a time)

During the TDE, we decided to archive all channels to eliminate any potential attacks and concentrated our efforts to secure the event and report phishing sites.

We considered changing everyone to multi-channel guests, as these have lower permissions and can’t access some Slack features available to regular members, but decided against it. Although multi-channel guests do not have the ability to set reminders to others the issue was that attackers could still DM a member of the community (all members are in the #general channel), and you could only manually convert members to multi-channel guests.

Protector Bot

In addition, to provide better automation for manual protection tasks we did in the beginning, we built @kin-protector, our very own chatbot! We initially used Errbot as we had experience with it in the past. We soon realized we would have to patch the Errbot core in order to disable its message filtering and auto-reply function to the same channel. We ended up migrating the bot to a bare Slack framework named python-rtmbot.

@kin-protector was a member of each channel. It was also a member of a private channel containing only the admins and the bot. This is where it would notify us about suspicious activity and log any actions taken.

At the beginning it would only protect the purpose and topic of each channel. When someone tried to change a topic, the bot would change the topic back and delete the “topic changed” message from the channel. Later, we wanted to proactively find and deactivate imposters. We discovered new members by periodically polling Slack for the full members list (initially we relied on an event sent from Slack, but we found that the events we’re inconsistent and not immediate enough).

New Member Checks

When a new member was found, the bot would run a set of checks:

String similarity:

Prohibited important strings — Kin, Ether, admin names, etc.

Using Levenshtein distances to produce a similarity score.

We also looked at phonetic distance functions with varying weights based on character difference (punctuation marks weigh less such that `tanner.` is closer to `tanner` than `banner`).

Image Recognition with AWS Rekognition:

Given the list of admin users and an additional list of images, the bot compared each new or changed member image to each and every user image.

To save money and reduce latency by decreasing the number of requests to the service, we tiled and stitched all the profile pics together to generate a single image. This works as AWS Rekognition supports detecting multiple faces in a single image.

Auto-Deactivation

Once we found a profile that was sufficiently suspicious we deactivated the user automatically (using the SCIM API) and notified the @admins. If users sent unapproved messages via Slackbot (the one bot we could not remove from Slack), we changed these usernames to names like “SCAM” so their DMs and Slackbot reminders will appear to have been sent from a malicious user.

A message from good ol’ Scammy

Text Filtering

The bot also applied regular expression matching on message content, finding and deleting Bitcoin and Ethereum addresses and phishing links. Links on Slack can be hidden behind text using the format <text|www.example.com> . Scammers used this to create innocent looking links that led to phishing sites. A link was only allowed if the text was not a link or if the hyperlink was from the same domain as the text.

/remind attacks

Lastly, when a /remind phishing attack slipped through and showed up in Slackbot’s channel, we manually triggered a broadcast reminder to ignore any messages and to stay vigilant. This both notified our users and pushed the phishing message up (you cannot delete other member messages posted via Slackbot)

Conclusion

@kin-protector did a good job and had our backs in more than a few cases, but eventually we did decide to leave Slack. Some of the reasons we decided to leave were:

Some of our mitigation requires Slack’s SCIM API, which is only available in the “Plus” plan and was very expensive considering the large amount of members we had in the community.

Slack is designed for internal teams, not for managing a public community. It’s functionality relies on the good behavior of its members, and it doesn’t have sufficient tools for countering bad actors.

The primary problems were the reminder and DM phishing attacks, which still don’t have a proper solution.

Alternatives

As a final note, we still love Slack and use it internally at Kik. There are also some other great products that try to tackle scams on Slack that unfortunately didn’t fit our needs but might suit you: