Successful phishing at Salesforce.com
Technorati Tag: Security Breach
Date Reported:
11/06/07
Organization:
Salesforce.com, Inc.
Contractor/Consultant/Branch:
None
Victims:
Salesforce.com customers
Number Affected:
Unknown*
*"As of January 31, 2007, the Company’s customer base had grown to approximately 29,800 worldwide, and it had approximately 646,000 paying subscriptions." - Reuters
Types of Data:
First and last name, company name, email address, telephone number and "related administrative data belonging to salesforce.com."
Breach Description:
A Salesforce.com employee inadvertently divulged access information when he/she fell for a phishing attack. The access information allowed unauthorized access to a salesforce.com customer contact list and other administrative data. This information in turn is being used by criminals to carry out targeted (spear) phishing attacks against salesforce.com customers.
Reference URL:
Salesforce.com Email Announcement
ITPro.com Story
ComputerWorld Story
Report Credit:
Parker Harris, EVP Technology at Salesforce.com
Response:
From the official Salesforce.com letter to customers titled "An Important Letter About Security" and online sources cited above:
"It's time to take more action to prevent phishing. For salesforce.com, that means alerting our customers to specific new threats, raising awareness around the issue, educating administrators about key steps they can take today, and continuing to define, develop, and deploy the technologies that deliver customer security and success. In this note, we'll clarify recent issues and outline what our customers can do to increase security."
[Comfyllama] This is how the salesforce.com letter to customers starts out. This opening paragraph sounds like Salesforce.com is doing a great job of educating their customers. If I didn't know any better, it sounds like Salesforce.com is being proactive and informative.
"Phishing and malware are Internet scams on the rise. As salesforce.com's community approaches one million subscribers, it has become an increasingly appealing target for phishers. In fact, we have seen a rise in phishing attempts directed at salesforce.com customers over the past few months."
[Comfyllama] This is the second paragraph on the letter. Still no mention of any specific problems, but more feel good statements meant to make me feel as though Salesforce.com is proactive and safe.
"When we first saw signs of this sudden rise, we conducted a thorough analysis. We learned that a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied. "
[Comfyllama] Say what? So, the letter starts out by informing customers how important it is to "prevent phishing" and delivering "customer security", and customers are now informed that Salesforce.com did NOT "prevent phishing" or deliver "customer security". I am disappointed that customers are not informed of this breach until the 3rd paragraph of the letter!
"To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database."
[Comfyllama] The "someone" being referred to is someone that had privileged access to customer information. True that this breach did not stem from a technological control failure, but it DID stem from an administrative and educational failure. I don't feel any better or worse.
"Information in the contact list included first and last names, company names, email addresses, telephone numbers of salesforce.com customers, and related administrative data belonging to salesforce.com."
"As a result of this, a small number of our customers began receiving bogus emails that looked like salesforce.com invoices, but were not?they were also phishes."
[Comfyllama] This is important to point out. Just because Social Security numbers and financial data were not disclosed in this breach, the information gathered makes it much easier (and more successful) for an attacker to use the specific information in targeted phishing attacks called "spear phishing". Spear phishing has proven to be a lucrative enterprise for criminals.
"Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher."
"Our support and security teams have been working with the small group of affected customers to enhance their security and with law enforcement authorities and industry experts in an effort to trace what occurred and prevent further attempts."
"However, a few days ago a new wave of phishing attempts that included attached malware?software that secretly installs viruses or key loggers?appeared and seemed to be targeted at a broader group of customers. That's why we warned our system administrators last week of this new, more malicious phish and why we are sending this letter now with the goal of increasing awareness."
"What We Are Doing
Customer security is the foundation of customer success, so we have been implementing and will continue to implement the best possible practices and technologies in this area. Our recent and ongoing actions include:
"What We Recommend You Do
Salesforce.com is committed to setting the standards in software as a service for being an effective partner in customer security. So, in addition to our efforts, we strongly recommend that our customers implement the following changes to enhance security:
"Unfortunately, phishing is a reality on the Internet these days. But with the right mix of awareness, education, and preventive technology, the consequences of phishing don't have to be part of that reality."
"There is no finish line on security, so we hope that this information will foster more communication between salesforce.com and its customers on this very important matter."
[Comfyllama] Amen!
Commentary:
I didn't realize how wildly popular Salesforce.com is until reading about it for this report. This breach is proof that the most stringent of technological controls can be easily defeated by a simple human mistake. Phishing is a form of social engineering, and social engineering has proven to be the most successful attack in history. The most effective method of preventing phishing and other social engineering attacks is regular security training and constant awareness.
An interesting and promising technical control that may prove successful against phishing attacks is "Behavioral Intelligence" by Tier-3, but as long as human beings are involved, social engineering will be successful.
Past Breaches:
Unknown
Date Reported:11/06/07
Organization:
Salesforce.com, Inc.
Contractor/Consultant/Branch:
None
Victims:
Salesforce.com customers
Number Affected:
Unknown*
*"As of January 31, 2007, the Company’s customer base had grown to approximately 29,800 worldwide, and it had approximately 646,000 paying subscriptions." - Reuters
Types of Data:
First and last name, company name, email address, telephone number and "related administrative data belonging to salesforce.com."
Breach Description:
A Salesforce.com employee inadvertently divulged access information when he/she fell for a phishing attack. The access information allowed unauthorized access to a salesforce.com customer contact list and other administrative data. This information in turn is being used by criminals to carry out targeted (spear) phishing attacks against salesforce.com customers.
Reference URL:
Salesforce.com Email Announcement
ITPro.com Story
ComputerWorld Story
Report Credit:
Parker Harris, EVP Technology at Salesforce.com
Response:
From the official Salesforce.com letter to customers titled "An Important Letter About Security" and online sources cited above:
"It's time to take more action to prevent phishing. For salesforce.com, that means alerting our customers to specific new threats, raising awareness around the issue, educating administrators about key steps they can take today, and continuing to define, develop, and deploy the technologies that deliver customer security and success. In this note, we'll clarify recent issues and outline what our customers can do to increase security."
[Comfyllama] This is how the salesforce.com letter to customers starts out. This opening paragraph sounds like Salesforce.com is doing a great job of educating their customers. If I didn't know any better, it sounds like Salesforce.com is being proactive and informative.
"Phishing and malware are Internet scams on the rise. As salesforce.com's community approaches one million subscribers, it has become an increasingly appealing target for phishers. In fact, we have seen a rise in phishing attempts directed at salesforce.com customers over the past few months."
[Comfyllama] This is the second paragraph on the letter. Still no mention of any specific problems, but more feel good statements meant to make me feel as though Salesforce.com is proactive and safe.
"When we first saw signs of this sudden rise, we conducted a thorough analysis. We learned that a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied. "
[Comfyllama] Say what? So, the letter starts out by informing customers how important it is to "prevent phishing" and delivering "customer security", and customers are now informed that Salesforce.com did NOT "prevent phishing" or deliver "customer security". I am disappointed that customers are not informed of this breach until the 3rd paragraph of the letter!
"To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database."
[Comfyllama] The "someone" being referred to is someone that had privileged access to customer information. True that this breach did not stem from a technological control failure, but it DID stem from an administrative and educational failure. I don't feel any better or worse.
"Information in the contact list included first and last names, company names, email addresses, telephone numbers of salesforce.com customers, and related administrative data belonging to salesforce.com."
"As a result of this, a small number of our customers began receiving bogus emails that looked like salesforce.com invoices, but were not?they were also phishes."
[Comfyllama] This is important to point out. Just because Social Security numbers and financial data were not disclosed in this breach, the information gathered makes it much easier (and more successful) for an attacker to use the specific information in targeted phishing attacks called "spear phishing". Spear phishing has proven to be a lucrative enterprise for criminals.
"Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher."
"Our support and security teams have been working with the small group of affected customers to enhance their security and with law enforcement authorities and industry experts in an effort to trace what occurred and prevent further attempts."
"However, a few days ago a new wave of phishing attempts that included attached malware?software that secretly installs viruses or key loggers?appeared and seemed to be targeted at a broader group of customers. That's why we warned our system administrators last week of this new, more malicious phish and why we are sending this letter now with the goal of increasing awareness."
"What We Are Doing
Customer security is the foundation of customer success, so we have been implementing and will continue to implement the best possible practices and technologies in this area. Our recent and ongoing actions include:
- Actively monitoring and analyzing logs to enable proactive alerts to customers who have been affected
- Collaborating with leading security vendors and experts on specific threats
- Executing swift "takedown" strategies on fraudulent sites (often within an hour of detection)
- Reinforcing security education and tightening access policies within salesforce.com
- Evaluating and developing new technologies both for our customers and for deployment within our infrastructure. We will regularly update you on these security innovations."
"What We Recommend You Do
Salesforce.com is committed to setting the standards in software as a service for being an effective partner in customer security. So, in addition to our efforts, we strongly recommend that our customers implement the following changes to enhance security:
- Modify your Salesforce implementation to activate IP range restrictions. This will allow users to access Salesforce only from your corporate network or VPN, thus providing a second factor of authentication.
- Educate your employees not to open suspect emails and to be vigilant in guarding against phishing attempts
- Use security solutions from leading vendors such as Symantec to deploy spam filtering and malware protection
- Designate a security contact within your organization so that salesforce.com can more effectively communicate with you. Contact your salesforce.com representative with this information.
- Consider using other two-factor authentication techniques including RSA tokens and others
- Attend an educational Webinar on Thursday, November 8 in which our experts will walk you through these recommended changes and best practices. Visit www.salesforce.com/security for details."
"Unfortunately, phishing is a reality on the Internet these days. But with the right mix of awareness, education, and preventive technology, the consequences of phishing don't have to be part of that reality."
"There is no finish line on security, so we hope that this information will foster more communication between salesforce.com and its customers on this very important matter."
[Comfyllama] Amen!
Commentary:
I didn't realize how wildly popular Salesforce.com is until reading about it for this report. This breach is proof that the most stringent of technological controls can be easily defeated by a simple human mistake. Phishing is a form of social engineering, and social engineering has proven to be the most successful attack in history. The most effective method of preventing phishing and other social engineering attacks is regular security training and constant awareness.
An interesting and promising technical control that may prove successful against phishing attacks is "Behavioral Intelligence" by Tier-3, but as long as human beings are involved, social engineering will be successful.
Past Breaches:
Unknown
Posts Atom 1.0
Thanks a lot for the suggestion given in the post. Yes we need to more security, especially when it comes to salesforce, customer data need to protected well. check this link: www.modazzle.com?channel=salesforceA
Reply to this
Besides the fact that there are very efficient anti-spam tools that they could have used, I can't believe that an employee at a firm that works with valuable data would fall for a phishers attack. Don't they learn nothing there?
Reply to this