MetaCert Security for the Cryptocurrency Community

MetaCert’s Promise to token launches and ICOs and the wider Cryptocurrency Community — we will protect you from phishing campaigns

Paul Walsh
Jul 24, 2017 · 11 min read

The title says it all, but the slightly longer version is…

But first, is phishing on Slack a big problem? Er, click here to see the magnitude of Google search results.

Phishing attacks inside Slack DMs is a serious problem for the Cryptocurrency world. Companies behind token launches and ICOs (Initial Currency Offerings) are contacting MetaCert because they are literally scared of phishing links being shared in their Slack, almost every day.

We already have a Slack Security app that helps to protect customers like IBM, Blackhawk Network, AppDirect and VSP from potential phishing attacks as well as Pornography and Fake News. But we are making a promise today, to immediately dedicate significant design and engineering resource to extend our service to address the additional needs of the Crypto world.

Token launches and ICOs being attacked by Phishing scams on Slack

According to ETHNews,

… a plethora of blockchain and cryptocurrency open community teams have fallen prey to phishing scams that utilize the messaging service Slack. As the communication software of choice among blockchain developers and founders, Slack might be the weakest link in corporate cybersecurity.

Shortly after the Fourth of July, a number of blockchain teams were targeted by a phishing scam wherein a malicious actor or group sent reminders through the Slackbot imploring users to log in to MyEtherWallet (MEW). Users who clicked on the attached hyperlink were redirected to myether.com.co, a site impersonating MEW. It seems that the false front allowed the scammer(s) to collect wallet details from their victims.

According to Slack PR in response to this article,

“We are aware that open community teams related to cryptocurrency were targeted with deceptive spam messages. Several of the affected teams have since disabled or deleted access to the offending user accounts. Online scams targeting open communities can be pervasive and we encourage team admins and members to be vigilant, and to review and enforce basic security measures.”

At MetaCert, we predicted this type of security threat a few years ago when we first asserted that the future of web browsing would be inside mobile apps that contain a WebView, rather than inside a native mobile browser — that has some built-in security.

We also predicted that all chat services would open up to third-party software developers and quickly become a replacement for email (for some people). All of the above has happened. You can see the evidence of our assertions from our open sourced investor pitch deck that was used to secure our second $1.2M seed round. This is why we decided to focus on “Team Collaboration / Messaging Apps” as a vertical within the app ecosystem.

The Problem in more detail

Matt McGivern, the Community Manager for SingularDTV was the first person to bring the security issues on Slack to my attention. They really care to protect their brand, organization and their community, from the potential security threats inside Slack. Matt and I have exchanged quite a few emails already — helping us better understand the unique requirements for token launches and ICOs.

What is Slack, HipChat, Cisco Spark, et al., doing to address the problem?

In short, not enough. Slack has listed MetaCert in their curated list of “Brilliant Bots”, while HipChat has blogged about our service in the past.

The main problem is that Team Collaboration services and Messaging apps don’t have built-in protection against malicious URLs — not one of them. Not even Cisco Spark which has end to end encryption for large enterprise customers.

The security threat comes from the fact that most people will use chat services like Slack on their mobile device while connected to 3G, or home/public wifi. This is where there is zero protection from malicious URLs. That is, unless they’ve installed the MetaCert Security App.

For two years we’ve been saying that if people are reducing their reliance on email in favor of services such as Slack, it stands to reason cybercriminals will also move their attacks to this new threat vector.

Security is always last to play catchup. So none of these platforms have integrated any security products to protect their customers from malicious links. And even though we have some of the biggest security companies in the world as customers on Slack using our security app, none of them have built any services to help their customers stay protected. #ironic.

Every single company we spoke to, assumed they were protected from malicious links — due to the wide assertions made by the platforms in regards to their commitment to privacy and security. Again, not one message service protects you from malicious links.

Why aren’t the platforms doing more?

For the most part, the response I’ve heard from the Platforms, was that their systems are mostly used by companies for internal communication and therefore, anti-phishing and malware security isn’t a priority for them. This is wrong in my opinion, for two reasons;

  1. Even where companies use Slack or another service for “internal communication”, the people are always connected to the outside world — they are the weak link. People are always the weak link. There’s nothing to stop someone from copying a dangerous link from a social network into Slack by mistake — mistakes happen, regularly. And besides, most IT Professionals are more concerned about insider threats than they are external hacks.
  2. Communities using Slack is not a new concept, nor is it unexpected behavior. Take Botkit for example — it’s the world’s most widely used open source chatbot making framework. It has a few thousands members inside their Slack community. And Slack is an investor in Botkit. It was always obvious in my opinion, that communities like this, would use Slack for broadcasting updates and increasing community engagement. The NYT started live blogging on Slack more two years ago.
    Even if these messaging services weren’t originally designed with communities in mind, they should probably redesign them to meet customer usage and expectations.

MetaCert Security for Slack — what’s available now

MetaCert already protects customers of all sizes from malicious links on Slack, HipChat, Skype and Facebook Messenger. But I’m going to talk specifically about Slack.

Our security app silently monitors every message sent across public channels, checking links against our threat intelligence system in real time.

As soon as a dangerous link has been detected, an alert is broadcast to the channel in which it was detected, as well as to the administrator who installed our app. The time delay between detection and alert is less than a third of a second (170ms) — so the risk of someone opening the wrong link is significantly reduced.

As our customer, you get your own threat intelligence dashboard where you can find every link and file shared across your Slack account. It will also provide insight to the most active users and channels. And you get a full CRM — which includes all the contact information for your users (including their email address). So if you have an issue with a member of your community, you can get insight to exactly what they shared and in which channel, up to the point of detection. And then act accordingly with evidence — even if they later delete their messages. We call this forensic evidence.

The screen shot below is a real example of a community that I run within the chatbot industry.

Our Promise

Until recently, Slack didn’t permit third-parties like MetaCert to monitor DMs. It’s now possible. So as soon as we were made aware of the seriousness of phishing attacks via Slack DM throughout the token launch and ICO community by SingularDTV, we decided to dive right in and help address it. And the response from the wider community has been very supportive — which leads me to really believe that they care about security and the protection of their brands and their customers. Kudos, Crypto People! 🖖

We have immediately dedicated an engineer to build a separate security app for the Cryptocurrency industry — designing it with token launches and ICOs in mind every step of the way. If you’d like to join SingularDTV in beta testing new features before they go live, please get in touch. See below for contact details.

The new Crypto anti-phishing app for Slack will include everything the existing app has to offer, plus the following:

  • Protection for DMs. The new app will silently monitor all DMs and the second a phishing link is detected, an alert will be sent to everyone inside that direct message thread. Due to the limitations of the Slack API, it’s not technically possible to prevent the message from being sent — but the alert should deter someone from opening the wrong link.
  • Your personal threat intelligence dashboard will immediately pinpoint who the bad actors are and notify you as the admin, by direct message — in real time. The second a bad actor posts a dangerous link, you’ll know about it. And your dashboard will also provide you with that person’s contact information — including their email address.

We expect to have this update available on or before September 25th 2017.

[Update: I just wrote a post to invite community managers and moderators to beta test our major release today.]

  • The follow-up release to that launch will include a massive feature that will allow administrators to add suspicious links to their own blacklist. This will be the world’s first anti-spear phishing solution for Slack. When you add a link, the app will be updated in realtime. We expect to have this by late September.
  • And the second update will allow token launches and ICOs to share their blacklists with other teams within the community.

All of these features are already available in our HipChat security app, so none of this is new to us from a technical perspective. But Slack DMs being a dangerous place to receive links, is news to us and not something we expected.

Pricing

We are providing incredible pricing plans for the full suite of features listed above and the features listed here. We believe this will help remove pricing from the conversation completely. The only question you need to ask yourself is, “do I want to protect my community and my company from a phishing attack on Slack?”. You can learn more about it and download it from here.

100 users $25
500 users $50
1,000 users $75
3,000 users $125
5,000 users $150
10,000 users $175
More than 10,000 get in touch. paul@metacert[dot]com

No credit card needed. No contract.

We’ve reduced our fees dramatically as we are keen to address this issue for the entire Cryptocurrency world as quickly as possible so we can become the VeriSign of Crypto.

Our goal is to serve 100% of token launches and ICOs that are on Slack.

Install MetaCert for Slack now.

Working with the Community

It’s not all about us and what we build. We’re also taking live feeds from phishing lists created by industry stake holders and aggregating them with our own database. We’ll publish which ones in order to give them full credit for their hard work and the people who helped us to find them.

We’re also labeling domains that haven’t yet been registered but would obviously infringe on trademarks owned by sites such as myetherwallet.com to help prevent problems before the can happen.

Looking for Partners

If you’re a stakeholder, we’d love an opportunity to strike a partnership with you. You might want to become a reseller in return for a revenue share. Or you might want to help tell our story so the wider community benefits with more protection.

Please get in touch with me directly to discuss further paul [at] metacert [dot] com. If you run a token launch, ICO or another similar community on Slack feel free to get in touch directly too.

Crypto Cyber Insurance — the future

We are currently in discussion with a few underwriters about the potential for MetaCert to help token launches and ICOs reduce their insurance premiums — or to create a brand new insurance solution for this industry.

For example, if we can persuade token launches and ICOs to restrict their communication with their community to “Slack + MetaCert” we believe we can demonstrate to insurance underwriters the significant risk reduction— to help bring down insurance premiums and/or provide better coverage — or a new product offering just for our customers.

Token / ICO Trustmark

Trustmarks is an area that I have a lot of experience with. My first company was a trustmark for web standards compliance certification. This provides MetaCert with unique insight to how it can work for token launches and ICOs. We’re playing with the idea of a Trustmark for companies that install MetaCert. I think ICOs should be the first industry to adopt this, as it would help promote an ICO as more secure than others. If there is an appetite amongst ICOs we’ll push this forward.

A little insight about me in the context of this post

The motivation and mission of a founder will tell you everything you need to know about the company. So here’s more insight to my background.

I was part of the team that launched AIM, while working at AOL as the first Technical Accounts Manager and International Beta Coordinator hired outside the US. My first company Segala, was a mobile testing company, later becoming the Trustmark for Web Content Accessibility Guidelines compliance.

I’m one of the original seven founders of the W3C Mobile Web Initiative, where I was the first person to re-write Tim Berners-Lee’s vision of the One Web in the context of mobile devices. I was one of the two people who co-instigated the creation of the W3C Standard for URL Classification and I own a full patent for the checking of URIs for phishing and malware inside an app WebView. So in theory, my W3C work makes it ok to own a patent that prevents anyone else from building an anti-phishing security solution for Slack :)

My research into content labeling and URL Classification started in 2005 so I’ve been doing this for a while. The people I work with at MetaCert are smarter than me — so that’s why and how MetaCert is the best in the world at URL Classification to help protect society from malicious links while using a mobile chat app. Context is everything.

To make a further point about our community contributions… my COO Ian Hayward and I have worked on and off together for the past 10 years. He joined MetaCert a few months ago, with two of his engineers. Together they built the official add-ons for digg, delicious, Yahoo!, AOL, eBay, PayPal and Google. And they built and maintained spreadfirefox.com

So in short, we really do care about industry and we love to contribute to, and even create new communities.

Please tap or click “♥︎” to help to promote this piece to others.

Paul Walsh

Written by

MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade