Shortly after the Fourth of July, a number of blockchain companies were targeted by a phishing scam wherein a malicious actor or group sent reminders through the Slackbot imploring users to log in to MyEtherWallet (MEW). Users who clicked on the attached hyperlink were redirected to myether.com.co, a site impersonating MEW. It seems that the false front allowed the scammer(s) to collect wallet details from their victims.
Fortunately, most users quickly caught on to the scam, realizing that the hyperlink to MyEtherWallet was fake, as evidenced by the “.co” at the end.
In some iterations, the phishing scheme employed a “.su” domain. This was originally assigned as the top-level domain of the Soviet Union.
Sadly, at least one user was caught in the crosshairs of the scam. ragnar_the_king later posted in BAT Slack’s community channel, “I hate myself for falling [for] that dumb scam.” Ragnar lost 950 BAT, equivalent to approximately $85 as of July 10 according to CoinMarketCap.
On reddit, the BAT team warned users of the phishing scam. Luke Mulks, senior ad tech specialist at Brave Software, worked to delete the evil user, disabled slackbot messages, and reported the issue directly to Slack’s own security team.
On Twitter, @SlackHQ addressed concerns that the scam artist(s) abused the reminder command. Unfortunately, the Slack team did not provide an immediate solution.
The Status Slack was also a target of the phishing attack. On July 9, co-founder Carl Bennetts posted a warning to community members.
Slack channels of some of the most prominent blockchain companies saw post after post of users calling for the ban of scam accounts. Many corporate leaders took proactive measures to alert users, as exemplified by this message posted by Jorge Izquierdo, technical lead at Aragon:
It’s heartening to see the crypto community policing itself, but ultimately, this latest incident reveals a weakness in the environment. On the Colony Community Slack, user slylandro posed the question on everyone’s minds. “Is Slack really the best choice for chat platform?”
At the time of publication, neither Slack nor MyEtherWallet had responded to requests for comment.