Slashdot Mirror

← Back to Stories (view on slashdot.org)

Highly Targeted Phishing From Salesforce.com Leak

Posted by kdawson on from the no-more-drift-nets dept.

An anonymous reader writes "Salesforce.com has finally acknowledged what security experts have suspected for weeks: that a Salesforce.com employee had his company credentials stolen in a phishing scam, and criminals have been using names and e-mail addresses from Salesforce's customer list to conduct other highly targeted phishing attacks, including the recent round of fake e-mails apparently from the Federal Trade Commission." In such hightly targeted attacks, the AV companies are at a loss — they have little chance of quickly developing signatures for threats that only reach a few thousand victims.

3 of 72 comments (clear)

  1. It's not just targeted phishing... by argent · · Score: 4, Funny

    If you know about a security hole in a product, and you write a program to attack it, and fire it off at a specific target, odds are poor that any antivirus software will catch it. And if it's a remote execute vulnerability, the target won't have a chance to avoid being phished, because it'll all happen automatically.

    Also, there's software (like Internet Explorer) that pretty much trains people to fall victim to "thin" social engineering attacks (by, for example, crying wolf hundreds of times a day). This means that these attacks work often enough that if you can target a few hundred people at a specific location you'll get one, and they happen often enough that it's not even suspicious for a few hundred people at a location to get a dialog box asking if they want to infect their computer now.

    Antivirus software can't help.

    Security is like sex.

    Once you're penetrated you're fucked.

  2. Re:ummm... what? by phantomcircuit · · Score: 4, Funny

    "User education"

    haha .... hahahahahaha.... HAHAHAHAHA

    You had me there. No really what is your solution to phishing?

  3. Re: law enforcement! by Anonymous Coward · · Score: 3, Funny

    I did this once. I reported the phising scam e-mails, provided them with the
    e-mail address, details of the scam and gve them a link to a security website
    that reported the scam.

    The response I got was basically, "They're not doing anything illegal. If you send them money/info about you, that's your business."

    In short, as far as law enforcement in Canada is concerned, if you're dumb enough to fall
    for phising, tough luck. And I kind of agree with them. It doesn't lave me with a warm,
    fuzzy feeling, but I agree. Phising scams are a sort of virtual survival of the fitest.