Highly Targeted Phishing From Salesforce.com Leak

An anonymous reader writes "Salesforce.com has finally acknowledged what security experts have suspected for weeks: that a Salesforce.com employee had his company credentials stolen in a phishing scam, and criminals have been using names and e-mail addresses from Salesforce's customer list to conduct other highly targeted phishing attacks, including the recent round of fake e-mails apparently from the Federal Trade Commission." In such hightly targeted attacks, the AV companies are at a loss — they have little chance of quickly developing signatures for threats that only reach a few thousand victims.

ummm... what?

In such hightly targeted attacks, the AV companies are at a loss -- they have little chance of quickly developing signatures for threats that only reach a few thousand victims. In other news, the auto-safety companies are at a loss with respect to fire safety violations in people's homes - they have little chance of quickly developing airbags for threats like leaving a cigarette burning and unattended.

Seriously, what do AV companies have to do with phishing scams? The proper counter-attack to phishing is user education, and proper security practices at various sites (e.g. banking sites not using email for official correspondence, not allowing info to leak, etc.). There are some technological tools that can help reduce the impact of phishing (e.g. toolbars that notify the user of suspicious activities) but ultimately this is an issue of user education...

...and I really have trouble understanding why AV companies should be the ones to come up with 'signatures' to detect this stuff...

Re:ummm... what?

[Iphtashu+Fitz]

I think the post is implying that the phishing attack is using some sort of malware targeted at the individuals. Imagine you're not a security-conscious person and you get an e-mail with an attachment claiming to be from SalesForce.com. The e-mail looks exactly like the kind of e-mail that you're likely to get from them, and the attachment may actually include a Word document or something else that you're likely to get from them. Your virus scanner doesn't warn you that the attachment is a virus/worm/trojan so you open it up and your machine gets rooted as a result. Your response when your local IT guru shows up? "Well Norton AntiVirus didn't flag it as a virus!"

Phishing has become much more sophisticated. A phisher with access into a company like SalesForce.com may very well send out e-mails that look very realistic to the sites customers but with a payload that only a very savvy internet user might catch on to. What are you supposed to do, give up dealing with ANY company over the internet because you can't be certain if the e-mail you received from them is legitimate or a scam perpetrated by a hacker that got into their systems?

Re:ummm... what?

[wud]

if you rtfa you'll see that the phishing scam was to download malware. so the AV companies would need to fend off the malware.

Re:ummm... what?

[wizardforce]

Seriously, what do AV companies have to do with phishing scams? The proper counter-attack to phishing is user education, and proper security practices at various sites

If the user population were sufficinetly educated, spyware, viruses, trojans and phishing wouldn't be nearly the problem it is today. Antivirus software is for defending after the fact- by the time it comes into play you've already lost. Notice that there are few if any AV companies that specialize in OSes that are not frequently targets of viruses trojans etc.. no money to be made. That being said, antiphishing software could very well be merged with AV or antispyware software and sold as such. A lot more of a reason for joe average to buy more software.

Re:ummm... what?

[phantomcircuit]

"User education"

haha .... hahahahahaha.... HAHAHAHAHA

You had me there. No really what is your solution to phishing?

Re:ummm... what?

[Not_Wiggins]

...and I really have trouble understanding why AV companies should be the ones to come up with 'signatures' to detect this stuff...

Because when your only tool is a hammer, EVERYTHING is a nail.

Re:ummm... what?

[Suhas]

malware is malware whether it arrives as an attachment with a Salesforce.com email or from Jody hawking Viagra. A heuristic AV algorithm should find it and flag it as such.

Re:ummm... what?

The problem is that AV heuristics are largely reactive rather than proactive. AV companies will release updated definitions in response to large outbreaks of the malware. But when the attacks are highly-targeted, everyone who's at risk for getting infected has already been infected (minus the users who are savvy enough to recognize the threat themselves) by the time the AV companies get wind of the new malware. In this situation, it's largely futile to release updated malware definitions.

You can argue that the heuristics should be more proactive, but that's very difficult since malware creators have access to AV software and can just keep tweaking their code until it makes it past the detection mechanisms.

Re:ummm... what?

[virtual_mps]

Seriously, what do AV companies have to do with phishing scams?
[snip] ...and I really have trouble understanding why AV companies should be the ones to come up with 'signatures' to detect this stuff... Well, AV companies are the ones who sold people snakeoil^H^H^H^H^H^H^H^H security in a bottle. It's the AV companies who have built a business model around the message "give us money every year or you won't be 'secure'"; I think it's perfectly reasonable for people to ask them to deliver the "security" they were promised. I can't count the number of times I've seen a user with a malware infection give me a confused look and say "but I've got antivirus installed". The fact is that the AV companies do a really shitty job at protecting people from current threats. The AV software by design only detects old malware that it has signatures for, and malware authors are now changing the malware on a better than daily basis to evade that detection model. AV vendors know that, and push this idea that they have super secret ninja technology that will detect malware that they don't have signatures for, so people shouldn't let that worry them. In the real world, computer science theory will tell you that it isn't possible to look at a program and tell up front whether it's malware--but that's what the AV people have been selling. So, yeah, I think it's past time for people to ask what value they get from their AV product.

the only option

[Lord+Ender]

Because it is against human nature to be completely paranoid and skeptical of every email received, the only reliable way to fight this sort of thing is for everyone to digitally sign email messages through a reliable PKI hierarchy. Only when a federal regulatory body works with all the major email client producers (microsoft, google, etc.) would it be possible for such a thing to actually make it. Under "free market" forces, these companies do not have the incentive to cooperate.

Re:the only option

[eneville]

but this is the sort of case that would work well, since it's a small group of people, perhaps the managers of a few companies could sign at a sales meeting? who knows what is convenient for them.

but, once a few of them are acquainted, it becomes a stronger web of trust, so mail could easily be verified.

but if the credentials were phished then i reckon it's not that hard to get the pri key.

Re:the only option

[Lord+Ender]

but if the credentials were phished then i reckon it's not that hard to get the pri key.

No. There is a big difference between knowing someone's email address and having system/root-level access on their PC (or better yet: physically stealing their smartcard).

So much money would be saved from fraud by issuing everyone smartcards (say, with their tax returns?) that such a system would pay for itself quickly. It is impossible to steal keys off of a smart card via a remote hack.

Re:the only option

[cheater512]

Private keys are protected with far more secure methods than most other things.
Thats including credit cards and similar sensitive stuff like that.

Cacert.org keeps theirs on a secure box who's only connection to the net is a slow serial link.

Re:the only option

Because it is against human nature to be completely paranoid and skeptical of every email received

Speak for yourself. I completely distrust every e-mail, and have never, ever clicked on an attachment to an e-mail. I've gotten hundreds of phishing scam e-mails... never fell for one.

When I was sysadmin at a large Fortune 500 company (back in the days of floppies), my policy was that if you got a virus, I had a box of floppy-locks and you got one for a week.... and had to get someone else to read your floppies and save work for you to take home or copy work from the floppy back to the network. Worked great -- sort of a scarlet letter. One person re-offended, and he lost all computer privileges for a week. We should figure out some way to brand a scarlet letter "D" for dumbass onto the foreheads of people that fall for phishing scams.

Re:the only option

No wonder everyone hates sysadmins. Christ.

Re:the only option

[eneville]

the .pri is usually in the user's home directory... so a browser exploit could read that ... for that matter, any exploit in any software that the user can run, would normally run with the user's credentials, and thus be able to read it. it shouldn't have read access to anyone else in the department though... but it's still a possibility. so, use your pass phrases!

Re:the only option

[eneville]

nice idea... i like it, but it's not going to appeal to everyone, as not every one has to fill it in... only certain people who are not on a visa and are over a given age. sufficient enough though to warrant use. what about making a huge key that lasts 10 years at birth? put the owners jpg in it and have the registry office sign it, might as well call it a passport (i don't know if the photo itself is signed in gnupg, should be).

Re:the only option

[crabpeople]

"[sic]Because it is against human nature to be completely paranoid and skeptical of every email received"

I guess im not human then. Homo sapiens sapiens paranoius?

Re:the only option

[hostyle]

Yeah. Of course, on the other hand, everyone loves cleaning up the messes created by morons.

Re:the only option

[Cheesey]

Could be worse...

But I don't know if anyone, even the BOFH, would be immune to a sufficiently targeted attack. (Although naturally a targeted attack against the BOFH would be a fatal mistake...)

Re:the only option

[Lord+Ender]

It could be issued with drivers' licenses. It doesn't have to have an expiration any shorter than a human lifespan, as long as a good revocation system is in place.

Re:the only option

[Lord+Ender]

Randomly inserting "[sic]" while you type makes you homo ignoramus.

Re:the only option

[Lord+Ender]

Well, if I were given a $500M budget and were asked to implement it nationally, I would issue smart cards and legislate smart card readers come standard on typical desktop PCs (adding $3 per machine, I suppose).

And your wrong on another count. On windows, private keys can only be accessed directly by a user with System level access.

Re:the only option

[eneville]

I think it does need a short life span, other wise there will be a ipv4/ipv6 phase to go through later on, give it a short life span so that incredible computers in the future cannot reverse the pri key.

Re:the only option

[eneville]

And your wrong on another count. On windows, private keys can only be accessed directly by a user with System level access. No that's a different key, what planet are you on? I'm talking about the gnupg system of pub/pri keys. If that you're saying is true, then my mail reader (when I have accessed mail from a windows box) would have to escalate to a system user, which it never did.

Re:the only option

[Lord+Ender]

GNUPG would not be a major concern on such a project, because the target audience would be primarily windows. Hardware-based smart cards would be the way to go.

Re:the only option

[metachimp]

So, how does this protect joe dumbass from giving up his information voluntarily? If I need a smartcard to verify that it's me who is using the machine, then how does this prevent me from clicking through a phishing attempt and giving over my authority which has already been granted?. Am i to understand that none of us have root-level access to our own machines? Forget that. If anything, centrally issued smartcards would simply allow companies who might otherwise be on the hook for bad behavior to simply push it off on users.

And sure, like I really want a Federally issued smartcard. Do I have any reason to suspect that it won't be used by the feds for all the wrong reasons?

That is just the worst idea I have heard as a solution to this problem I have *ever* heard.

Re:the only option

[phantomcircuit]

Are you seriously saying that there should be an email system that can only verify the identity of windows users?

AV companies appropriate?

[morgan_greywolf]

Are AV companies even the appropriate resource for dealing with phishing scams? Why don't we just teach people some common sense or something? Phishing is a user education problem, not a problem to be attacked by antivirus tools.

Re:AV companies appropriate?

[sjwest]

I think the article poster is saying that perhaps salesforce.com should pony up and pay the a/v firms to fix the problem being that it affects very few people.

Re:AV companies appropriate?

[bhima]

'cause if we actually could just "teach people some common sense or something" we would have long ago done so.

People are the way they are and no amount of you (or me) being smarter than the herd is going to change it.

Re:AV companies appropriate?

[Bill,+Shooter+of+Bul]

It depends upon the type of phishing. The more traditional fraudulant email can't really be prevented, but there are several related attacks that are the domain of AV. They range from the more typical virus changing your HOSTS file, to more sophisticated attacks against your home router (changing your dns servers to a malicious one). With these you don't need an email. You can even type the name of the website int he address bar, but you'll go to the evil site anyways.

Its like I sometimes say when I feel like it: build a better mouse trap and God will build a better mouse.

only this is sort of the reverse where you are the mouse and phishers are the mouse trap builders. So that should be something more like: genetically engineer a better mouse, and the Devil will build a better mouse trap.

It's not just targeted phishing...

[argent]

If you know about a security hole in a product, and you write a program to attack it, and fire it off at a specific target, odds are poor that any antivirus software will catch it. And if it's a remote execute vulnerability, the target won't have a chance to avoid being phished, because it'll all happen automatically.

Also, there's software (like Internet Explorer) that pretty much trains people to fall victim to "thin" social engineering attacks (by, for example, crying wolf hundreds of times a day). This means that these attacks work often enough that if you can target a few hundred people at a specific location you'll get one, and they happen often enough that it's not even suspicious for a few hundred people at a location to get a dialog box asking if they want to infect their computer now.

Antivirus software can't help.

Security is like sex.

Once you're penetrated you're fucked.

Re:It's not just targeted phishing...

[Sigma+7]

Also, there's software (like Internet Explorer) that pretty much trains people to fall victim to "thin" social engineering attacks (by, for example, crying wolf hundreds of times a day). Crying wolf isn't the problem. Instead, the problem is crying wolf when you can properly handle the wolf without collateral damage.

For example, some Firefox configurations can be set to block popups from web plugins. However, the common method of setting privacy.popups.disable_from_plugins to 2 prevents you from opening any popup from a plugin even if you wanted to. The correct procedure is to record the URL that needs to be opened (as it does if Javascript tries a popup.) Because of this, Adblock is more effective than the stock implementation.

The other example is IE6, before SP2 was released. While it correctly cried wolf when it showed something coming from Gator, you couldn't add that publisher to the list of untrusted sources from that alert window.

Re:It's not just targeted phishing...

[argent]

Crying wolf isn't the problem.

It sure is.

This isn't just phishing I'm talking about, this is a remote execution attack that works because the user is trained to answer "yes" when they see a security dialog.

If your software is asking the user "Do you want me to do (dangerous thing)?" often enough that the user is conditioned to respond in the affirmative, that's a problem. Internet Explorer should have had every single capability related to the one that Gator used removed from the browser in 1997. In fact, I honestly expected Microsoft to do to logical thing and back out most of the browser/desktop integration and reimplement it with a "default closed" model that required explicit installation of plugins by the end of that year. Boy was I naive.

Re:It's not just targeted phishing...

[Svartalf]

Boy was I naive.

Your mistake was in thinking that Microsoft was a Software Company.

They're nothing of the sort.

They are an Abuse Company that uses Software as the vehicle to deliver this abuse, as opposed to words, whips, and/or chains. >:-)

Screw antivirus, call law enforcement!

[necro2607]

Like the title of this post says - screw antivirus software, call appropriate law enforcement agencies when you get these phishing attempts!

Re:Screw antivirus, call law enforcement!

And they'll do what other than laugh at you?

Re:Screw antivirus, call law enforcement!

[Blackknight]

As if they care.

Re:Screw antivirus, call law enforcement!

[gujo-odori]

They do. Federal law-enforcement is always present at, and typically presents at, APWG meetings (I work for an APWG member), and they do track this stuff, and when possible, make arrests. Among the problems they face are volume (there's so much of this stuff, and LE does not have unlimited resources), time (doing the investigation and compiling evidence is by its nature very painstaking work), and the fact that the perps are most commonly in Russia and other eastern European countries, making apprehension and prosecution far more difficult.

They can't solve all the problems, or maybe even most of them, but they're doing what they can, and it's more than you'll read about on Slashdot. No matter how much resources the FBI and others throw at this problem, however, it will always remain mostly a problem of technology combined with user education.

At the last APWG meet, in Pittsburgh, some researchers fron Carnegie-Mellon presented there findings of an anti-phishing game they wrote, the idea being that you can more effectively train users to not be phished by having them play a video game, rather than read some boring instructions from the IT department or watch a similarly boring video. Their test subjects showed real improvement Vs. a control group, and there has been considerable interest in the game.

A preview version is here, for anyone interested:

http://cups.cs.cmu.edu/antiphishing_phil/

License is CC-attribution-non-commercial.

(I am not affiliated with CMU)

Re:Screw antivirus, call law enforcement!

[necro2607]

Thanks for posting something informative & interesting as opposed to the rhetorical "who cares" bullshit other people were posting in response. :)

When technology is not the answer

[DFDumont]

Not everything can be addressed through technology. This is such a case. Note that the original error was with a human being that chose to be duped by a phishing expedition. In most of the cases the fatal flaw in any data security design is the people who run it.
My point is simply this. Training hours spent with each employee about how to recognize and respond correctly to online threats would have been a more effective and likely cheaper alternative to whatever their last security initiative was. Conversely testing or "job skill validation" that prevents people likely to do stupid things from getting enough clearance to have an email address on the corporate server - would also be effective.
The problem with modern operating systems is that they allow people to think they know how to run a computer. Vista says, "Shall I allow trojan.exe to run?" User says to self, "Self, I have no clue what that is, so I better let it run."
Anyone else see a problem with leaving immediate security questions to be answered by the person who happens to be at the keyboard?
IMHO Technology is not and should not be thought of as, the solution to all problems.
Dennis Dumont

Re:When technology is not the answer

[value_added]

The problem with modern operating systems is that they allow people to think they know how to run a computer. Vista says, "Shall I allow trojan.exe to run?" User says to self, "Self, I have no clue what that is, so I better let it run."

I think that's a fair representation of the current state of affairs. Moreover, it pretty much sums up the beginning, middle and end of most malware issues. From the article:

Recipients running Microsoft Windows who clicked on the attachment in the bogus FTC e-mail were warned by Windows that an executable file (a program installer) was about to run, and given the chance to decline the execution. Anyone who ignored that warning witnessed yet another social engineering feat. The invading program then produced a pop-up alert complaining that Microsoft Word had crashed, and that the user could double-click on a provided icon to restart Word. It was in double-clicking on that "OK" tab that victims were setting the final stages for allowing a Trojan horse program to invade their machines and record every single keystroke that they typed from there on out.

Seems to be that user training and education demands too much of everyone, and is too hard and too expensive. Instead, the "Let's continue the search for outside solutions to protect us from ourselves." approach, instead of being regarded as something that resembles the Lord's Prayer, thus becomes a rational business decision.

Re:When technology is not the answer

"Shall I allow trojan.exe to run?" User says to self, "Self, I have no clue what that is, so I better let it run."

You can tell by looking at executable's name if program is malicious or not? You're good.

Re:When technology is not the answer

[Tim+C]

Anyone else see a problem with leaving immediate security questions to be answered by the person who happens to be at the keyboard?

Yes I do, but the alternative is to whitelist the applications that are allowed to run and disallow everything else. That may work fine in the corporate environment, but it would fail utterly in the home environment where the user is the admin.

Were web-based services ever the answer?

[Anonymous+Brave+Guy]

Not everything can be addressed through technology. This is such a case. Note that the original error was with a human being that chose to be duped by a phishing expedition.

True, but this story appears to have started with an employee of an outside service, salesforce.com, succumbing to phishing.

While you can't entirely beat sociological threats through technological defences, this case doesn't exactly support the standard software-as-a-service provider's argument that by outsourcing your data handling to them, you are avoiding the complexity and problems of doing it yourself. What next, confidential planning documents from a company using one of the web-based office suites get leaked after the office suite business gets tricked? There is a lesson to be learned here.

Monoculture

[Colin+Smith]

....Actually I can't be bothered.

Here's a suggestion

[Colin+Smith]

Fire the people who are infected.

Re:Here's a suggestion

Riiiiiiiiigggggght. So who's going to be the one to walk in and fire the CEO?

Re: law enforcement!

I did this once. I reported the phising scam e-mails, provided them with the
e-mail address, details of the scam and gve them a link to a security website
that reported the scam.

The response I got was basically, "They're not doing anything illegal. If you send them money/info about you, that's your business."

In short, as far as law enforcement in Canada is concerned, if you're dumb enough to fall
for phising, tough luck. And I kind of agree with them. It doesn't lave me with a warm,
fuzzy feeling, but I agree. Phising scams are a sort of virtual survival of the fitest.

Yeah right.

[clayne]

"Stolen", my ass.

So, if bogus sales are transacted, then would

[davidsyes]

these be ...

SALESFORCED?

Re:I've been meaning to ask

[sussane]

one of my fren is a victim of this latest phising attack. He lost over $150 :(

Re: law enforcement!

I ever go into phishing, I know who my first target will be: Canadian law enforcement.

Re: law enforcement!

[necro2607]

While I haven't reported phishing specifically, I've reported spam (both of which are unsolicited emails, by the way, with phishing actually being notably more harmful), and gotten a response nearly every time that the issue will be pursued (although in these cases I contacted the ISPs that owned the IPs that were sending out emails, and this was in the late 90s where the net wasn't full of millions of zombified PCs so it was easier for ISPs to pursue).

Either way, sure, I imagine a lot of the time you'll get lame "too bad" responses, but phishing is still considered illegal all over North America and Europe. Please see here for a bit of text about the legal response to phishing attacks. Note the guy mentioned at the end facing a potential maximum of 101 years in jail for phishing thousands of AOL users.

Technological solutions and behavioral problems

[DragonHawk]

Not everything can be addressed through technology. This is such a case.

Indeed. This was a people problem, through and through.

I note that, in their list of things SalesForce.com says they are doing to make sure it doesn't happen again, conspicuously absent is anything to do with people.

"There are seldom good technological solutions to behavioral problems." -- Ed Crowley

SugarCRM

[MrKaos]

I recently did an comparison between Salseforce and SugarCRM and found Sugar was surprising good in comparison to SF. Plus you have the option of hosting the application in house thus avoiding a 3rd party handling your company data, or being on list of third parties that could be subject to these sorts of scams.

Re:SugarCRM

[MrKaos]

How is this OT if I am pointing out an open source alternative to SF (i.e this is not an advertisment) that by-passes the possibility of phishing for data?

Moderation without investigation is frustration - maybe some safes force people are scared that people will spread the word that there is a free alternative to their product that doesn't own your business data or charge you for the priveledge of accessing it.

Did I say suprisingly good in comparison, let me rephrase that...

SugarCRM KICKS SALESFORCE ASS

Maybe that will show up on googles next robot of slashdot. Of course I may just think that paying for someone else to own your data and allow it to be accessed by fraudsters, lose it in database backup failures, charge you an unexpected extra fee for exceeding your storage capacity or charge you extra for do additional marketing on your client base is dumb, but that's just me.

It's just I think that Open Source makes Software As A Service (or SAAS if you like trendy little acronyms that mean nothing) is redundant or Owned with a capital P, especially when SugarCRM does 80% or more of what SF does for no charge. So let me re-iterate, if you are considering a SF purchase...

SugarCRM KICKS SALESFORCE ASS

Disclaimer: I am in no way associated with SugarCRM in any way!

Re:SugarCRM

[MrKaos]

And just to prove that freedom of speech is more important than Salesforce shills let me just say again ....

SugarCRM KICKS SALESFORCE ASS

because it will be interesting if I get modded down again, just for saying...

SugarCRM KICKS SALESFORCE ASS

But I can always just continue to re-post the same comment.

Disclaimer: I am in no way associated with SugarCRM in any way!

Re:GoldMine

Out of the box, it doesn't really do anything, and it takes time (and some expensive labor) to build the interface specifically to meet a given company's needs. Unless you have tons of money to burn and highly specialized needs, this solution is HUGE overkill

Interesting insight. Have you taken a look at nexj? I'd be interested to hear what others have found out...don't see any reviews out there yet.

Re:GoldMine

[IHC+Navistar]

Take your crappy sales pitch somewhere else. It's not wanted here.

Re:GoldMine

Goldmine is a relic from the past. Not even their latest version saves it from looking like a modern application with last decades technology under the hood. My company forces its upon everyone here and they hate it with a passion. Its unreliable, unintuitive, has tons of quirks (doesn't operate across multiple timezones? our scandinavian sister company has to arrange appointments 1 hour behind their actual time as the main server is in the uk) and worst of all is the cost. Last time i looked we are shelling out over £400 a license for this floating turd of a package. It needs to die, it needs to die now and nobody ever speak its name again.

Re:GoldMine

[Chas]

"It's not wanted here."

Since the person was asking about CRM solutions (even if the original question was off-topic), evidently it was.

And if that qualifies as a sales pitch, something is wrong.

I'm a technician, not a sales guy. I, personally, don't give a shit WHAT he winds up with.

So take your crappy attitude somewhere else. It's not wanted here.

Re:GoldMine

[Chas]

"Goldmine is a relic from the past."

Ah. Starting with an attach, instead of delineating real problems. Good form!

"Not even their latest version saves it from looking like a modern application with last decades technology under the hood."

What is the "latest version" you're on?

"My company forces its upon everyone here and they hate it with a passion."

Great. Bandwagoning.

If you're an Outlook-head, I can see why you might not like it. The fact is, it's much easier to network and maintain than Outlook is. It's also more flexible.

"Its unreliable"

Really? Sounds like you're on an old DBase version on a shaky network. GoldMine malfunctioning tends to be an indicator that there are other, underlying problems on the network. If you're getting GoldMine specific errors, likely you have configuration issues.

A stupid VAR is not GoldMine's fault.

"unintuitive"

Which means you're so caught up in "OMGWTFBBQ it's not Outlook!" that you won't bother to actually learn the interface, like you would with any other application out there.

"has tons of quirks (doesn't operate across multiple timezones? our scandinavian sister company has to arrange appointments 1 hour behind their actual time as the main server is in the uk)"

This definitely points to configuration issues.

And one problem hardly qualifies as "tons".

"Last time I looked we are shelling out over £400 a license for this floating turd of a package."

That's about right. About £88 is the software maintenance. This provides essentially unlimited free support from FrontRange, as well as access to ALL updates of the product for a year.

"It needs to die, it needs to die now and nobody ever speak its name again."

Question, oh brave one posting as AC. Are you a sales guy? Or a tech?

This is incredible

[MagicBox]

Yes, we were a victim. SalesForce has been extremely, I mean extremely unprofessional and tight lipped about this incident. In an emergency meeting we had with them, they did claim that the data breach had originally happened in March of this year, yet we were never notified about it so we can put procedures in place and educate our users. We only knew when one of our users "logged in" to the phishing site. Unfortunately the crooks got to the data before we could change the password (within 5 minutes), but we were lucky that nothing "confidential" was downloaded. Regardless, when we called Salesforce, initially they told us that they cannot even share more info other than telling us to change our passwords. Then more emails started coming posing at Bank sites etc. We had to go to some incredible lengths to engage the SalesForce people to admit fault and advise on how to proceed in protecting the people. Still, they were less than helpful or they seemed incompetent to do so.

Bottom line is, how can you keep such breach a secret for 7 months without telling your clients at the very least? I have yet to receive an email from them about this. No correspondence has happened between them and us.

Oh, and the SalesForce "security" person was saying that the law enforcement has found where the phisher is located and that "if they have not aprehended him already, they will soon do so".... Whatever. BS.

Salesfarce

Salesforce.com has always been extremely good at keeping their customers out of the loop on internal problems. They scraped through a major datacenter and database meltdown a few years ago, denying any major problems while bleeding customers through the event. They tout the security of customers' customer data, stating that it cannot be accessed by the masses - another claim now brought into question by this event. Aggressive account manager shuffling keeps customers from finding anyone accountable for more than a few weeks while product features and releases continue to slip.

This seems to have turned into an anti-Salesforce rant. Not the intent, but easy to do with these jokers.