Phishing-based breach of salesforce.com customer data is more evidence of industry's need to act on spam. Now.

Phishing-based breach of salesforce.com customer data is more evidence of industry's need to act on spam. Now.

Summary: Last night, in a notice urging vigilance and a series of best practices, salesforce.com sent an e-mail to its customers notifying them that a variety of recent phishing attacks -- both against salesforce.

SHARE:

Last night, in a notice urging vigilance and a series of best practices, salesforce.com sent an e-mail to its customers notifying them that a variety of recent phishing attacks -- both against salesforce.com employees as well as against salesforce.com customers -- were successful at compromising their targets. Although the connection isn't absolutely clear, it appears as though a phisher was successful at socially engineering a salesforce.com staffer into revealing personally identifying data about salesforce.com's customers which in turn may have led to phishing attempts on those customers, some of which were successful. Said the e-mail:

...we have seen a rise in phishing attempts directed at salesforce.com customers over the past few months.....When we first saw signs of this sudden rise, we conducted a thorough analysis. We learned that a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied. To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database. Information in the contact list included first and last names, company names, email addresses, telephone numbers of salesforce.com customers......

.....As a result of this, a small number of our customers began receiving bogus emails that looked like salesforce.com invoices, but were not—they were also phishes. Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher....

The e-mail then goes on to mention that an additional perhaps more broadly reaching (in terms of salesforce.com customers) phishing attack had been detected -- one that includes malware (eg: keystroke loggers) designed to surreptitiously gather information such as user IDs and passwords from the victim's systems.

Whereas the initial "phish" of salesforce.com customers was apparently limited in scope to a small subset of salesforce.com's overall customer-base (tied to the list of customers whose data was socially engineered out of the aforementioned  saleforce.com employee), this more recent wave targeting salesforce.com customers (the one that includes the malware payload) is probably more of a traditional phish whereby the phishers are blanketing their own database of targets hoping that some percentage of them are indeed salesforce.com customers, and hoping that some percentage of those take the bait.

The e-mail from salesforce.com notes how the on-demand CRM service provider is near its 1 million-subscriber mark -- a number that puts salesforce.com in rare company, but a number that also commands the attention of phishers whose likelihood of success is very much tied to the popularity of the companies they impersonate. The more popular the company they impersonate (ie: eBay, Bank of America, PayPal, etc.), the greater the likelihood that the inboxes they spam with their phishing attempts will belong to the customers of those businesses. That's why they call it phishing (the phisher's are fishing for customers).

salesforceip.pngIn some twisted way, you know you've finally hit the bigtime when the phishers start to impersonate your company. While salesforce.com founder and CEO Marc Benioff would just assume do without that acknowledgment of his achievement, the e-mail is evidence that his team is wasting no time in reaching out to customers with a refreshing level of transparency as well as some strong recommendations on how to harden themselves against phishing attempts. For example, on the to-do list that's included with the e-mail is the following action item:

Modify your Salesforce implementation to activate IP range restrictions. This will allow users to access Salesforce only from your corporate network or VPN, thus providing a second factor of authentication.

The image (above left) shows the part of the salesforce.com user interface where administrators can whitelist the IP address ranges from which users can access their accounts. It's definitely a cool anti-phishing feature that more services should consider including as an optional administrative user element.

Beyond the list of recommendations and counter-measures salesforce.com recommends taking, the e-mail also says that saleforce's "recent and ongoing actions" in an effort to be proactive about customer security "include evaluating and developing new technologies both for our customers and for deployment within our infrastructure. We will regularly update you on these security innovations."

The email goes on to say:

Unfortunately, phishing is a reality on the Internet these days. But with the right mix of awareness, education, and preventive technology, the consequences of phishing don't have to be part of that reality.

Yes, phishing is unfortunate. But it doesn't have to be a part of the Internet's reality.

salesforcephish.pngIn its pursuit of longer term solutions, salesforce.com must first recognize that it's on an important cusp. Today, its subscribers probably open any e-mails that portend to come from salesforce.com -- including the one that was sent out last night. But, as more phishers look to prey on salesforce.com customers, there will come a point where those customers do the same thing to e-mails that claim to come from salesforce as they do to e-mails that claim to come from Bank of America or PayPal: delete them without opening them. This is the reason we hardly get any mail from out banks anymore. It's basically a waste of their time and resources if customers, fearful of being phished, aren't bothering to view them. Soon, salesforce could find itself in precisely the same position where even its warning e-mails aren't being opened.

If salesforce.com is truly interested in a longer term solution, it will first realize that phishing is little more than a malicious form of spam that relies on all the same techniques that "regular"spam relies on to get opened by its targeted recipients. To the extent that phishing relies on these techniques, phishing relies on the same weaknesses in the Internet's e-mail system that spam relies on; for example lack of a standard way to authenticate senders. Or, lack of a standard protocol between e-mail clients and e-mail servers that gives clients a way to notify servers of the end-user's sender-whitelisting or sender-blacklisting preferences. Or, a standard protocol to handle the transmission of subscription and unsubscription information between end-users and services (today, the non-standard nature of unsubscription leaves too much of the reliability of the process to chance -- especially when active Internet connectivity is a prerequisite to success).

Another issue? Although they're physically possible with many e-mail systems, encryption and digital signing of e-mail -- two measures that can also play a role in eliminating spam (and phishing) -- need to be more seamlessly embedded into e-mail clients in such a way that they're easy to use. Today, the user experience varies widely from one e-mail solution to another and the phrase "ease of use" can hardly be associated with most deployments. This must change.

Once salesforce.com realizes that action must be taken in the area of industry consensus and standards around e-mail security, perhaps it can use its influence with the other large organizations who are in a position to make a real difference: Microsoft, AOL, Google, and Yahoo (the group I call "maggie"). Where consensus and ubiquity of some defacto standards are required (we can't wait for any of the standards bodies to get to this), those are truly the four companies (given the penetration of their e-mail solutions into the market) that together can bring about change. So far, the four companies have yet to band together once and for all to put an end to the scourge that plagues all of us, and now, salesforce.com too. Perhaps now that spam has bubbled onto salesforce.com's radar to the point that it's posing a serious threat to the company's customers, the next thing salesforce.com can do is work on pulling the industry together around this problem. Especially since no one else will.

Topics: Security, Collaboration, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • Must: Mandate

    Couldn't agree with you more:

    [i][b]"Another issue? Although they?re physically possible with many e-mail systems, encryption and digital signing of e-mail ? two measures that can also play a role in eliminating spam (and phishing) ? need to be more seamlessly embedded into e-mail clients in such a way that they?re easy to use. Today, the user experience varies widely from one e-mail solution to another and the phrase ?ease of use? can hardly be associated with most deployments. This must change.[/i][/b]"
    D T Schmitz
  • Mail Tampering

    I decide to do a quick google on 'mail tampering usps' and found [url=http://www.usps.com/communications/news/security/mailtampering.htm]this[/url].

    The poster drives home the point.

    Should not we have an equivalent for email tampering? Anybody? Bueler?

    Talk amongst yourselves. ;)
    D T Schmitz
  • Companies don't have to wait for email clients to change..

    Internet-based businesses can implement a secure Universal Gateway Email server (I don't work for this company). Once users were acclimated to the system they would recognize phishing attempts immediatly. It would not require any new hard/software on the client's PC. The financial industry is using this solution and others like it to protect customers now...
    william.brunell
    • As long as we continue to buy...

      ...into non-standard solutions, we will never see an abatement to the spam problem. Never. We're sending a message to the market that we're willing to tolerate the growing threat of spam along with all its nasty side effects and we're willing to pay for patchwork remedies rather than demand from the primary solution providers that they solve the problem for free. As long as we show email solution providers that we'll pull our wallets out to not only solve the problem, but to buy solutions from companies that have the muscle to solve it but aren't, we are disincenting them from really solving the problem. What I'm suggesting is that we stop sending them that message.

      David
      dberlind
  • RE: Phishing-based breach of salesforce.com customer data is more evidence

    I had thought that Salesforce.com only notified its clients when it became apparent that some of the subsequent phishing emails contained malicious binaries? Do we know when the 'breach' originally occured?
    Yad
    • This could have to do with the public disclosure that's...

      required by law in some states, particularly when public companies are involved. If the details of the breach aren't available in these notices, they might become available in an upcoming SEC filing. But I'm not sure.

      David
      dberlind
    • March 2007

      Comments from a self-identified salesforce.com client on SlashDot (
      http://it.slashdot.org/) place the attack in March 2007, with public disclosure in October - more than 6 months later.

      "Yes, we were a victim. SalesForce has been extremely, I mean extremely unprofessional and tight lipped about this incident. In an emergency meeting we had with them, they did claim that the data breach had originally happened in March of this year, yet we were never notified about it so we can put procedures in place and educate our users."
      karl24
  • Bad news on Salesforce gives all CRM vendors a hard time

    In a time where hosted CRM Software is growing rapidly news of these scams don't help convince SMB's to make the move to the on demand side, even though there are many great CRM Software vendors out there like Netsuite and Salesboom.com. Salesforce.com being the largest CRM Software vendor has the ability to give the entire market a bad name making the smaller competitors jobs more difficult as-well, even though vendors like Salesboom.com have a great track record. I just hope that SMB's out there know there are alternative CRM Software providers, they don't need to turn their back on the entire industry.
    Whiting
  • More than an email problem

    Not to detract from the valid point of the story, (default email settings bad!)please remember the incident was made possible by human error.

    It is likely that the user could have prevented the error by picking up the phone to verify information in the phishing email (if it requested a customer list).

    Users need to be aware of the monetary value of data on their computers. Is keeping a customer list on a local disk smart? Users (or security programs) can encrypt sensitive files so they cannot be read without the key. That way, when something is lost, it is still protected.

    If the list was obtained by malware being installed by the user as a result of clicking on a link or downloading something they shouldn't have, then the error may have been in Salesforce's lack of virus/malware/phishing implementation. That may be an error by an admin or executives not funding good security controls.

    Just a reminder that limiting discussion to such events to implementation of technical controls misses the point that people are the weak link. Technology looks smart, but in reality it does what we evolved monkeys with keyboards instruct it.

    Save a few bucks and don't educate users about privacy and security. That is what the phishers and hackers count on.

    You may now return to bashing email systems.
    karl24
    • The flaw in your thinking

      As best as we can tell, the first breach was an act of social engineering, via phishing. For example, a link in an e-mail to a imposter site that resulted in the disclosure of a userID and password to the posers. It's a very typical phishing technique.

      To say that "the error may have been in Salesforce's lack of virus/malware/phishing implementation" is just wrong. The phishers and spammers are always one step ahead of the solutions and no matter what solution you buy, it will eventually get defeated and some poor sole will end up compromising a larger system as a result.

      The problem is that none of the solutions you refer to take the holistic approach that needs to be taken to securing entire e-mail system because they're completely powerless to do so. They're all competing with each other. It's not in their interests to look at the problem holistically. They only solve a problem for a moment in time for their set of customers. They all have different customers. This highly fractured, tactical approach to securing email from spam and phishing is why we're in this mess in the first place. Had the major e-mail solution providers decided in the first place that spam was something worth shutting down and NOT worth leveraging as a competitive datapoint or revenue generating problem 5 years ago when they were implored to do so, the world would be a different place today.

      Look, I feel like a broken record. Since everyone thinks I have no idea what I'm talking about, let's take a different view. Everyone likes to tell me why I'm wrong about this. I was told this 5 years ago and given the EXACT same reasons I was wrong. I stood my ground. Here we are, 5 years later and everything they told us was going to work hasn't. Spam still gets into our inboxes and there's nothing we can do as senders to make sure our e-mail gets delivered on the other end.

      For once, instead of telling why working together can't work, acknowledge the fact that working apart hasn't work, that the situation is far worse than it was when I was first told it couldn't work, and start talking about what it would take for a collaborative, multi-lateral x-industry approach to work.

      It's about time people stopped saying "no" to something that hasn't been tried instead of saying "yes" to something that has clearly proven to be ineffective.

      David
      dberlind
      • There is more than one

        "The flaw in your thinking"

        The same member assumes that training will be sufficient to prevent all employees, in a company the size of salesforce, from giving away information. An employee earning a stenographer's wage simply should not have access to so much data. The financial services industry is leading others in privacy and data security. The only question other industries need to ask is, how do they do it?

        [i]To say that "the error may have been in Salesforce's lack of virus/malware/phishing implementation" is just wrong.[/i]

        Agreed. Depending on scans for malicious code on your own network and calling it "security", is insane. Of course scans for malicious code are *part* of security, but a message from an unverified sender, without PGP encryption or the like, would never be allowed on a [u]secure[/u] network.

        [i]The phishers and spammers are always one step ahead of the solutions and no matter what solution you buy, it will eventually get defeated and some poor soul will end up compromising a larger system as a result.

        The problem is that none of the solutions you refer to take the holistic approach that needs to be taken to securing entire e-mail system because they're completely powerless to do so. They're all competing with each other. It's not in their interests to look at the problem holistically.[/i]

        Are they really "completely powerless to do so", or are they just selling partial fixes to a market that settles for them, hoping to sell more partial fixes, later?
        Absolutely
      • Start reading the post at the beginning to understand what I said

        Before you comment on what you think I mean, read the post.

        I purposefully said salesforce "may" have been at fault because I lack the knowledge about what really happened since I was not there and do not have intimate knowledge about their security methodology.

        I believe that there are multiple factors to attacks like this.

        Let me point out that I started off by saying that email used in its default form is bad and that the point that spam is a scourge was valid.

        I have been in IT for over 20 years and have administered email and many other systems in multi-national environments, so I too am familiar with the problems.

        Your assumption that I think people shouldn't work together to slove these problems is just plain wrong. In fact, we need to expand the discussion into the Boardroom. IT screaming about better standards won't solve this. Giant corporations refusing to buy bad technology will hit software providers where they live.

        I never said buying product x would solve the problem either. Whatever you think I am trying to suggest you buy, you are incorrect. It's not about products. It is about business strategy, training, awareness and technology - together.

        IT cannot and should not bear sole responsibility for security. They should implement management's informed direction. No matter what technology you place in the way, attackers will circumvent it eventually. This is why we need multi-pronged approaches.

        Implementation of standards, like OCED privacy, ISO 17799/27001 or CobiT are great beginnings. IAPP and other organizations cover this type of approach to privacy.

        - Data needs to be classified so that sensitive information is protected in line with its business value.
        - Controls need to be layered so that if one fails, others prevent or hamper attackers from obtaining their goal.
        - Companies need to take responsibility for customizing their own security, not relying on the technical industry to fix things.

        Data leakage is not only an IT problem. It is a business problem, first and foremost. Every company needs to educate users and make appropriate investments in technical and management security controls.

        Please accept my heartfelt apology for the wrongs you feel I inflicted on you or your viewpoint.
        PGP, and other types of encryption or authentication methods are also great ideas to assist in securing a network. If you want to talk about holistic approaches, acknowledge the need for multi-layered security, including user education, classification, need to know access, etc, etc.

        Hope this clarifies my position. I am not attacking salesforce or anyone else. What I have said is acknowledged by many security practitioners.
        karl24
    • Multiple human errors, including access controls

      [i]Not to detract from the valid point of the story, (default email settings bad!)please remember the incident was made possible by human error.[/i]

      One of the valid points I see between the lines of this story is that, as the size of companies increase, the likelihood of one careless, indifferent end-luser who doesn't do more than the minimum diligence, also increases. To be exact, the incident was [u]directly caused[/u] by one human's error, but it was [u]made possible[/u] by a long series of human errors, some of which I'll outline below.

      [i]Save a few bucks and don't educate users about privacy and security. That is what the phishers and hackers count on.[/i]

      Spend a few bucks instructing users on securing the company's data, of course. But by my estimate, voluntary implementation of security "best practices" correlates more to personal character than to on-the-job training. Some people will just not be more responsible than the technology made available to them mandates.

      One of the human errors made in this case was allowing access to data worth millions of dollars to a worker whose salary was probably, er, not sufficient to motivate the necessary level of diligence to prevent the intrusion that occurred. The first human error was in providing that minimally financially motivated employee maximal access to the company's primary source of financial value, its customers. That was a human error, setting permissions only based on "job function", without a thought to the financial value of the data accessed.

      If there are employees whose financial incentive to be loyal to the company is very low in proportion to the financial value of the data the technology allows them to access, this story proves that, sooner or later, one or more of them will do something monumentally stupid (or malicious, in cases of industrial espionage, some of which we undoubtedly will never know about) with the data they should not have permission to view or copy in the first place, but do.

      [i]Users need to be aware of the monetary value of data on their computers.[/i]

      That will influence some to be more careful, of course, but it is only one part of a wholistic solution. Like e-mail filters, it will not be sufficient by itself.

      [i]Is keeping a customer list on a local disk smart? Users (or security programs) can encrypt sensitive files so they cannot be read without the key. That way, when something is lost, it is still protected.[/i]

      Is it smart to allow employees access to a customer list at all? Which employees?

      [i]It is likely that the user could have prevented the error by picking up the phone to verify information in the phishing email (if it requested a customer list).[/i]

      That is likely. Two related certainties render that observation irrelevant. First, it is certain that the employee did not utilize the telephone technology available to perform whatever verification might have been possible. The employee instead probably took the shortest, easiest, laziest route to completion of the task immediately before its face. All employers know they employ such "workers", and need their technology to account for that fact, realistically. The other related certainty is that technology exists to prohibit emails that are not sent from "known good" domains. Technology does not impose the feeble "greylisting" approaches that are in widespread use. User ignorance, at all levels of many corporations, does.
      Absolutely
  • RE: Phishing-based breach of salesforce.com customer data is more evidence

    If you use Salesforce.com, I read in InformationWeek about a company called OutProtect (www.outprotect.com) that has a product that secures your downloaded data. The product stops authorized users (or people who have phished and stolen a valid ID/password) from removing Salesforce data without your knowing about it. These attacks are happening no matter what CRM you use, so if you're using Salesforce then OutProtect is a pretty cool way to lock down your info from walking out the door.
    CRMExpert2
  • Convince "maggie"

    I wonder if it would help if a group of White-Hats arranged a major phish of maggie? Donate proceeds to some charity.
    gestrate9
  • Salesboom offers USB tokens for extra security

    Couple of days ago, Salesboom.com, a direct competitor of Salesforce.com released a new product offering it's clients two-factor authentication service, in which users accessing the online CRM software application are required to insert a USB token which has their employee ID encrypted as well as the traditional username/password combination.
    CRMdesign
  • RE: Phishing-based breach of salesforce.com customer data is more evidence of industry's need to act on spam. Now.

    Well, yeah wouldn't you be embarrassed being a big company that tries to protect it's clients privacy, but in the end human error is at the fault.
    I would hate to be a <a href="http://www.pervasiveintegration.com/data_connectors/Pages/salesforce_integration.aspx">saleforce</a> employee at that time. It's not the software that's the problem but the user. <a href="http://www.pervasiveintegration.com/data_connectors/Pages/crm_integration.aspx">CRM</a> used for evil...I really hate spam.
    Charlie630