Slashdot Mirror

← Back to Stories (view on slashdot.org)

Highly Targeted Phishing From Salesforce.com Leak

Posted by kdawson on from the no-more-drift-nets dept.

An anonymous reader writes "Salesforce.com has finally acknowledged what security experts have suspected for weeks: that a Salesforce.com employee had his company credentials stolen in a phishing scam, and criminals have been using names and e-mail addresses from Salesforce's customer list to conduct other highly targeted phishing attacks, including the recent round of fake e-mails apparently from the Federal Trade Commission." In such hightly targeted attacks, the AV companies are at a loss — they have little chance of quickly developing signatures for threats that only reach a few thousand victims.

6 of 72 comments (clear)

  1. ummm... what? by Anonymous Coward · · Score: 5, Insightful

    In such hightly targeted attacks, the AV companies are at a loss -- they have little chance of quickly developing signatures for threats that only reach a few thousand victims. In other news, the auto-safety companies are at a loss with respect to fire safety violations in people's homes - they have little chance of quickly developing airbags for threats like leaving a cigarette burning and unattended.

    Seriously, what do AV companies have to do with phishing scams? The proper counter-attack to phishing is user education, and proper security practices at various sites (e.g. banking sites not using email for official correspondence, not allowing info to leak, etc.). There are some technological tools that can help reduce the impact of phishing (e.g. toolbars that notify the user of suspicious activities) but ultimately this is an issue of user education...

    ...and I really have trouble understanding why AV companies should be the ones to come up with 'signatures' to detect this stuff...
  2. AV companies appropriate? by morgan_greywolf · · Score: 5, Insightful

    Are AV companies even the appropriate resource for dealing with phishing scams? Why don't we just teach people some common sense or something? Phishing is a user education problem, not a problem to be attacked by antivirus tools.

    --
    My blog
    1. Re:AV companies appropriate? by bhima · · Score: 3, Insightful

      'cause if we actually could just "teach people some common sense or something" we would have long ago done so.

      People are the way they are and no amount of you (or me) being smarter than the herd is going to change it.

      --
      Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
  3. When technology is not the answer by DFDumont · · Score: 4, Insightful

    Not everything can be addressed through technology. This is such a case. Note that the original error was with a human being that chose to be duped by a phishing expedition. In most of the cases the fatal flaw in any data security design is the people who run it.
    My point is simply this. Training hours spent with each employee about how to recognize and respond correctly to online threats would have been a more effective and likely cheaper alternative to whatever their last security initiative was. Conversely testing or "job skill validation" that prevents people likely to do stupid things from getting enough clearance to have an email address on the corporate server - would also be effective.
    The problem with modern operating systems is that they allow people to think they know how to run a computer. Vista says, "Shall I allow trojan.exe to run?" User says to self, "Self, I have no clue what that is, so I better let it run."
    Anyone else see a problem with leaving immediate security questions to be answered by the person who happens to be at the keyboard?
    IMHO Technology is not and should not be thought of as, the solution to all problems.
    Dennis Dumont

  4. Were web-based services ever the answer? by Anonymous+Brave+Guy · · Score: 3, Insightful

    Not everything can be addressed through technology. This is such a case. Note that the original error was with a human being that chose to be duped by a phishing expedition.

    True, but this story appears to have started with an employee of an outside service, salesforce.com, succumbing to phishing.

    While you can't entirely beat sociological threats through technological defences, this case doesn't exactly support the standard software-as-a-service provider's argument that by outsourcing your data handling to them, you are avoiding the complexity and problems of doing it yourself. What next, confidential planning documents from a company using one of the web-based office suites get leaked after the office suite business gets tricked? There is a lesson to be learned here.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  5. Re:It's not just targeted phishing... by argent · · Score: 2, Insightful

    Crying wolf isn't the problem.

    It sure is.

    This isn't just phishing I'm talking about, this is a remote execution attack that works because the user is trained to answer "yes" when they see a security dialog.

    If your software is asking the user "Do you want me to do (dangerous thing)?" often enough that the user is conditioned to respond in the affirmative, that's a problem. Internet Explorer should have had every single capability related to the one that Gator used removed from the browser in 1997. In fact, I honestly expected Microsoft to do to logical thing and back out most of the browser/desktop integration and reimplement it with a "default closed" model that required explicit installation of plugins by the end of that year. Boy was I naive.