[ISN] Salesforce tight-lipped after phishing attack

From: InfoSec News (alerts@private)
Date: Wed Nov 07 2007 - 23:13:08 PST


http://news.zdnet.co.uk/security/0,1000000189,39290616,00.htm

By Tom Espiner  
ZDNet.co.uk
07 Nov 2007

Salesforce.com is refusing to reveal details of a security breach caused 
when one of its employees surrendered their password in a phishing 
attack against the company.

Details of Salesforce.com's customers were stolen as a result of the 
password being surrended, the CRM services company admitted to customers 
on Monday.

But, when contacted by ZDNet.co.uk, the company refused to say whether 
any UK customers had been affected, whether any financial damage had 
occurred, and whether any disciplinary action had been taken against any 
employees as a result of the security incident. It offered no other 
comment on the matter.

Salesforce.com first noticed a possible security breach when it saw a 
rise in phishing attacks directed against customers "a couple of months 
ago". Upon investigation, the company found that one of its employees 
had been "tricked" into disclosing a password, allowing a customer list 
to be stolen, according to Monday's letter, which was sent to customers 
by executive vice president of technology Parker Harris.

"We learned that a Salesforce.com employee had been the victim of a 
phishing scam that allowed a Salesforce.com customer contact list to be 
copied," wrote Harris. "To be clear, a phisher tricked someone into 
disclosing a password, but this intrusion did not stem from a security 
flaw in our application or database."

The information in the contact list included individuals' names, company 
names, email addresses, telephone numbers of Salesforce.com customers 
and "related administrative data belonging to Salesforce.com", said 
Harris.

Once the phishers had the contact list, they attempted to phish 
Salesforce.com customers. "Unfortunately, a very small number of our 
customers who were contacted had end users that revealed their passwords 
to the phisher," wrote Harris.

The domino effect continued. Not content with the security breaches 
already achieved, the phishers began to target Salesforce.com customers 
with malware. "A few days ago a new wave of phishing attempts that 
included attached malware software that secretly installs viruses or 
keyloggers appeared and seemed to be targeted at a broader group of 
customers," wrote Harris, who added that this fresh wave of attacks was 
what prompted Salesforce.com to publish the security letter.

Salesforce.com said it had been working with the group of affected 
customers "to enhance their security", and with law enforcement and 
industry experts to trace what had happened. It said it was monitoring 
and analysing logs to be able to alert customers who have been, or could 
still be, affected by the incident, and that it was "reinforcing 
[employee] security education, and tightening access policies within 
Salesforce.com".

Harris's letter recommended that customers activate IP address 
restrictions so users can only access Salesforce.com from the corporate 
network or VPN, educate employees about phishing, and deploy email 
filtering and anti-malware software. Customers should also designate a 
security contact to liaise with Salesforce.com, consider using 
two-factor authentication, and attend a security webinar on 8 November 
on Salesforce.com's website.

Mark Sunner, chief technology officer for email-filtering company 
MessageLabs, claimed that Salesforce.com had "had an issue with the 
message filtering", and an issue with disseminating security information 
to employees. He recommended companies use a mixture of education and 
technical means to mitigate corporate data-theft phishing attacks.

"Employees have to be very sceptical about any requests for information 
over email, IM or telephone," said Sunner. "You have to have message 
filtering, but also educate people that this bad stuff is out there." 
Sunner added that users need to be aware that posts on social-networking 
sites such as Facebook could be used by phishers to harvest information.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Wed Nov 07 2007 - 23:29:04 PST