Slashdot Mirror

← Back to Stories (view on slashdot.org)

Highly Targeted Phishing From Salesforce.com Leak

Posted by kdawson on from the no-more-drift-nets dept.

An anonymous reader writes "Salesforce.com has finally acknowledged what security experts have suspected for weeks: that a Salesforce.com employee had his company credentials stolen in a phishing scam, and criminals have been using names and e-mail addresses from Salesforce's customer list to conduct other highly targeted phishing attacks, including the recent round of fake e-mails apparently from the Federal Trade Commission." In such hightly targeted attacks, the AV companies are at a loss — they have little chance of quickly developing signatures for threats that only reach a few thousand victims.

16 of 72 comments (clear)

  1. ummm... what? by Anonymous Coward · · Score: 5, Insightful

    In such hightly targeted attacks, the AV companies are at a loss -- they have little chance of quickly developing signatures for threats that only reach a few thousand victims. In other news, the auto-safety companies are at a loss with respect to fire safety violations in people's homes - they have little chance of quickly developing airbags for threats like leaving a cigarette burning and unattended.

    Seriously, what do AV companies have to do with phishing scams? The proper counter-attack to phishing is user education, and proper security practices at various sites (e.g. banking sites not using email for official correspondence, not allowing info to leak, etc.). There are some technological tools that can help reduce the impact of phishing (e.g. toolbars that notify the user of suspicious activities) but ultimately this is an issue of user education...

    ...and I really have trouble understanding why AV companies should be the ones to come up with 'signatures' to detect this stuff...
    1. Re:ummm... what? by phantomcircuit · · Score: 4, Funny

      "User education"

      haha .... hahahahahaha.... HAHAHAHAHA

      You had me there. No really what is your solution to phishing?

    2. Re:ummm... what? by Not_Wiggins · · Score: 2

      ...and I really have trouble understanding why AV companies should be the ones to come up with 'signatures' to detect this stuff...

      Because when your only tool is a hammer, EVERYTHING is a nail.

      --
      Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
  2. the only option by Lord+Ender · · Score: 3, Interesting

    Because it is against human nature to be completely paranoid and skeptical of every email received, the only reliable way to fight this sort of thing is for everyone to digitally sign email messages through a reliable PKI hierarchy. Only when a federal regulatory body works with all the major email client producers (microsoft, google, etc.) would it be possible for such a thing to actually make it. Under "free market" forces, these companies do not have the incentive to cooperate.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:the only option by eneville · · Score: 2, Informative

      the .pri is usually in the user's home directory... so a browser exploit could read that ... for that matter, any exploit in any software that the user can run, would normally run with the user's credentials, and thus be able to read it. it shouldn't have read access to anyone else in the department though... but it's still a possibility. so, use your pass phrases!

      --
      Why UNIX?
  3. AV companies appropriate? by morgan_greywolf · · Score: 5, Insightful

    Are AV companies even the appropriate resource for dealing with phishing scams? Why don't we just teach people some common sense or something? Phishing is a user education problem, not a problem to be attacked by antivirus tools.

    --
    My blog
    1. Re:AV companies appropriate? by bhima · · Score: 3, Insightful

      'cause if we actually could just "teach people some common sense or something" we would have long ago done so.

      People are the way they are and no amount of you (or me) being smarter than the herd is going to change it.

      --
      Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
  4. It's not just targeted phishing... by argent · · Score: 4, Funny

    If you know about a security hole in a product, and you write a program to attack it, and fire it off at a specific target, odds are poor that any antivirus software will catch it. And if it's a remote execute vulnerability, the target won't have a chance to avoid being phished, because it'll all happen automatically.

    Also, there's software (like Internet Explorer) that pretty much trains people to fall victim to "thin" social engineering attacks (by, for example, crying wolf hundreds of times a day). This means that these attacks work often enough that if you can target a few hundred people at a specific location you'll get one, and they happen often enough that it's not even suspicious for a few hundred people at a location to get a dialog box asking if they want to infect their computer now.

    Antivirus software can't help.

    Security is like sex.

    Once you're penetrated you're fucked.

    1. Re:It's not just targeted phishing... by argent · · Score: 2, Insightful

      Crying wolf isn't the problem.

      It sure is.

      This isn't just phishing I'm talking about, this is a remote execution attack that works because the user is trained to answer "yes" when they see a security dialog.

      If your software is asking the user "Do you want me to do (dangerous thing)?" often enough that the user is conditioned to respond in the affirmative, that's a problem. Internet Explorer should have had every single capability related to the one that Gator used removed from the browser in 1997. In fact, I honestly expected Microsoft to do to logical thing and back out most of the browser/desktop integration and reimplement it with a "default closed" model that required explicit installation of plugins by the end of that year. Boy was I naive.

  5. When technology is not the answer by DFDumont · · Score: 4, Insightful

    Not everything can be addressed through technology. This is such a case. Note that the original error was with a human being that chose to be duped by a phishing expedition. In most of the cases the fatal flaw in any data security design is the people who run it.
    My point is simply this. Training hours spent with each employee about how to recognize and respond correctly to online threats would have been a more effective and likely cheaper alternative to whatever their last security initiative was. Conversely testing or "job skill validation" that prevents people likely to do stupid things from getting enough clearance to have an email address on the corporate server - would also be effective.
    The problem with modern operating systems is that they allow people to think they know how to run a computer. Vista says, "Shall I allow trojan.exe to run?" User says to self, "Self, I have no clue what that is, so I better let it run."
    Anyone else see a problem with leaving immediate security questions to be answered by the person who happens to be at the keyboard?
    IMHO Technology is not and should not be thought of as, the solution to all problems.
    Dennis Dumont

    1. Re:When technology is not the answer by value_added · · Score: 2, Informative
      The problem with modern operating systems is that they allow people to think they know how to run a computer. Vista says, "Shall I allow trojan.exe to run?" User says to self, "Self, I have no clue what that is, so I better let it run."

      I think that's a fair representation of the current state of affairs. Moreover, it pretty much sums up the beginning, middle and end of most malware issues. From the article:

      Recipients running Microsoft Windows who clicked on the attachment in the bogus FTC e-mail were warned by Windows that an executable file (a program installer) was about to run, and given the chance to decline the execution. Anyone who ignored that warning witnessed yet another social engineering feat. The invading program then produced a pop-up alert complaining that Microsoft Word had crashed, and that the user could double-click on a provided icon to restart Word. It was in double-clicking on that "OK" tab that victims were setting the final stages for allowing a Trojan horse program to invade their machines and record every single keystroke that they typed from there on out.


      Seems to be that user training and education demands too much of everyone, and is too hard and too expensive. Instead, the "Let's continue the search for outside solutions to protect us from ourselves." approach, instead of being regarded as something that resembles the Lord's Prayer, thus becomes a rational business decision.
  6. Were web-based services ever the answer? by Anonymous+Brave+Guy · · Score: 3, Insightful

    Not everything can be addressed through technology. This is such a case. Note that the original error was with a human being that chose to be duped by a phishing expedition.

    True, but this story appears to have started with an employee of an outside service, salesforce.com, succumbing to phishing.

    While you can't entirely beat sociological threats through technological defences, this case doesn't exactly support the standard software-as-a-service provider's argument that by outsourcing your data handling to them, you are avoiding the complexity and problems of doing it yourself. What next, confidential planning documents from a company using one of the web-based office suites get leaked after the office suite business gets tricked? There is a lesson to be learned here.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  7. Re: law enforcement! by Anonymous Coward · · Score: 3, Funny

    I did this once. I reported the phising scam e-mails, provided them with the
    e-mail address, details of the scam and gve them a link to a security website
    that reported the scam.

    The response I got was basically, "They're not doing anything illegal. If you send them money/info about you, that's your business."

    In short, as far as law enforcement in Canada is concerned, if you're dumb enough to fall
    for phising, tough luck. And I kind of agree with them. It doesn't lave me with a warm,
    fuzzy feeling, but I agree. Phising scams are a sort of virtual survival of the fitest.

  8. Re:Screw antivirus, call law enforcement! by gujo-odori · · Score: 4, Interesting

    They do. Federal law-enforcement is always present at, and typically presents at, APWG meetings (I work for an APWG member), and they do track this stuff, and when possible, make arrests. Among the problems they face are volume (there's so much of this stuff, and LE does not have unlimited resources), time (doing the investigation and compiling evidence is by its nature very painstaking work), and the fact that the perps are most commonly in Russia and other eastern European countries, making apprehension and prosecution far more difficult.

    They can't solve all the problems, or maybe even most of them, but they're doing what they can, and it's more than you'll read about on Slashdot. No matter how much resources the FBI and others throw at this problem, however, it will always remain mostly a problem of technology combined with user education.

    At the last APWG meet, in Pittsburgh, some researchers fron Carnegie-Mellon presented there findings of an anti-phishing game they wrote, the idea being that you can more effectively train users to not be phished by having them play a video game, rather than read some boring instructions from the IT department or watch a similarly boring video. Their test subjects showed real improvement Vs. a control group, and there has been considerable interest in the game.

    A preview version is here, for anyone interested:

    http://cups.cs.cmu.edu/antiphishing_phil/

    License is CC-attribution-non-commercial.

    (I am not affiliated with CMU)

  9. Re:GoldMine by IHC+Navistar · · Score: 2

    Take your crappy sales pitch somewhere else. It's not wanted here.

    --
    Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
  10. This is incredible by MagicBox · · Score: 3, Informative

    Yes, we were a victim. SalesForce has been extremely, I mean extremely unprofessional and tight lipped about this incident. In an emergency meeting we had with them, they did claim that the data breach had originally happened in March of this year, yet we were never notified about it so we can put procedures in place and educate our users. We only knew when one of our users "logged in" to the phishing site. Unfortunately the crooks got to the data before we could change the password (within 5 minutes), but we were lucky that nothing "confidential" was downloaded. Regardless, when we called Salesforce, initially they told us that they cannot even share more info other than telling us to change our passwords. Then more emails started coming posing at Bank sites etc. We had to go to some incredible lengths to engage the SalesForce people to admit fault and advise on how to proceed in protecting the people. Still, they were less than helpful or they seemed incompetent to do so.

    Bottom line is, how can you keep such breach a secret for 7 months without telling your clients at the very least? I have yet to receive an email from them about this. No correspondence has happened between them and us.

    Oh, and the SalesForce "security" person was saying that the law enforcement has found where the phisher is located and that "if they have not aprehended him already, they will soon do so".... Whatever. BS.

    --

    The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!