Want to know why Symantec spent $350 million to acquire data loss prevention firm Vontu? Salesforce.com just found out why.
Salesforce.com is doing damage control after a gullible employee inadvertently revealed a customer contact list to a phisher, which has, in turn, allowed the scam artists to engage in targeted phishing attacks against Salesforce’s customers.
In a letter sent to customers yesterday and posted on Salesforce.com’s home page, Executive Vice President Parker Harris informed customers that a Salesforce.com employee had been the victim of a phishing scam that allowed a customer contact list to be copied.
“To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database,” he wrote. User gullibility is most often the cause of such breaches and, apparently, was the case here as well.
The phisher got away with first and last names, company names, e-mail addresses, telephone numbers of Salesforce.com customers and related administrative data belonging to Salesforce.com.
The result is these customers have been receiving bogus e-mails that looked like Salesforce.com invoices, but are not. These are what some security experts refer to as “spear phishing,” since they are targeted at a specific victim. Salesforce.com did not say who the targets are, but the Washington Post reports that SunTrust Bank and Automatic Data Processing (ADP), one of the nation’s largest payroll and tax services providers, are among the targets.
In his letter, Harris said “a very small number” of customers who were contacted by the spear phishers revealed their Salesforce.com passwords to the phisher. He also said that in recent days, a new wave of phishing attempts that included attached malware files, like key loggers, was being aimed at a broader group of customers.
Chenxi Wang, principal analyst for security and risk management at Forrester Research, said this threat will only increase. “Phishers are getting more sophisticated: their attacks have gotten a lot more targeted than the old days, where phishing was typically more random and ad-hoc,” he said in an e-mailed comment to InternetNews.com. “Targeted phishing attacks promise more return profit. I anticipate that we’ll see more targeted phishing attacks in the future.”
Salesforce.com is taking a number of steps to address the problem, including monitoring and analyzing logs to alerts to customers who have been affected, consulting with security vendors, going after fraudulent sites, reinforcing security education and tightening access policies within Salesforce.com and evaluating new security technologies.
The company is holding an educational Webinar on Thursday to discuss changes and best practices.
Randy Abrams, director of technical education for antivirus firm ESET Software, reiterated a familiar mantra in his job as an educator: train your staff well. “Employees with access to sensitive information need to be well trained on social engineering attacks,” he said in an e-mailed comment to InternetNews.com.
“It would be a very good idea for companies to start phishing their own employees. I’m not talking about stealing bank account or other information. I’m talking about tricking them into entering their usernames and passwords for corporate accounts when they clearly should not. This approach identifies the people who most need the education,” he added.