Salesforce tight-lipped after phishing attack

Salesforce tight-lipped after phishing attack

Summary: The company has refused to give specific details of a breach, caused by phishers gaining an employee's password, which saw customers attacked

SHARE:
TOPICS: Security
3

Salesforce.com is refusing to reveal details of a security breach caused when one of its employees surrendered their password in a phishing attack against the company.

Details of Salesforce.com's customers were stolen as a result of the password being surrended, the CRM services company admitted to customers on Monday.

But, when contacted by ZDNet.co.uk, the company refused to say whether any UK customers had been affected, whether any financial damage had occurred, and whether any disciplinary action had been taken against any employees as a result of the security incident. It offered no other comment on the matter.

Salesforce.com first noticed a possible security breach when it saw a rise in phishing attacks directed against customers "a couple of months ago". Upon investigation, the company found that one of its employees had been "tricked" into disclosing a password, allowing a customer list to be stolen, according to Monday's letter, which was sent to customers by executive vice president of technology Parker Harris.

"We learned that a Salesforce.com employee had been the victim of a phishing scam that allowed a Salesforce.com customer contact list to be copied," wrote Harris. "To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database."

The information in the contact list included individuals' names, company names, email addresses, telephone numbers of Salesforce.com customers and "related administrative data belonging to Salesforce.com", said Harris.

Once the phishers had the contact list, they attempted to phish Salesforce.com customers. "Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher," wrote Harris.

The domino effect continued. Not content with the security breaches already achieved, the phishers began to target Salesforce.com customers with malware. "A few days ago a new wave of phishing attempts that included attached malware — software that secretly installs viruses or keyloggers — appeared and seemed to be targeted at a broader group of customers," wrote Harris, who added that this fresh wave of attacks was what prompted Salesforce.com to publish the security letter.

Salesforce.com said it had been working with the group of affected customers "to enhance their security", and with law enforcement and industry experts to trace what had happened. It said it was monitoring and analysing logs to be able to alert customers who have been, or could still be, affected by the incident, and that it was "reinforcing [employee] security education, and tightening access policies within Salesforce.com".

Harris's letter recommended that customers activate IP address restrictions so users can only access Salesforce.com from the corporate network or VPN, educate employees about phishing, and deploy email filtering and anti-malware software. Customers should also designate a security contact to liaise with Salesforce.com, consider using two-factor authentication, and attend a security webinar on 8 November on Salesforce.com's website.

Mark Sunner, chief technology officer for email-filtering company MessageLabs, claimed that Salesforce.com had "had an issue with the message filtering", and an issue with disseminating security information to employees. He recommended companies use a mixture of education and technical means to mitigate corporate data-theft phishing attacks.

"Employees have to be very sceptical about any requests for information over email, IM or telephone," said Sunner. "You have to have message filtering, but also educate people that this bad stuff is out there." Sunner added that users need to be aware that posts on social-networking sites such as Facebook could be used by phishers to harvest information.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Fighting CRM Phishing Attacks

    Phishing for user information and passwords of online CRM and ERP applications can be dangerous if not dealt with properly.

    It is said that experiments show a success rate of over 70% of Phishing attacks on social networks. CRM users must be educated on security practices and how to protect their accounts from criminals.

    Within other CRM applications such as Netsuite and Salesboom.com there are tools to control login access and security. Export tools must be disabled when login happens from all or certain geographical locations and time zones perhaps. If a Sales manager is living in Ohio, and is not traveling to china, then if the login accrues in china, export tools and other various user rights can be disabled, including login itself.

    Other methods used today include Two-Factor Authentication such as using passwords and matching USB Tokens for further security.
    CRMdesign
  • Securing CRM Future

    It is nice to see that some hosted CRM vendors such as the mentioned Netsuite and Salesboom.com have taken measures to ensure safe and secure data for their clients, if events like the Salesforce phishing attack continure to take place without these measures in place it could mean great trouble for the hosted CRM industry. Since Salesforce is the most advertised CRM vendor, downfalls of their platform can have a negative affect on the entire industry making the advancements by Netsuite and Salesboom.com important not only for their clients but for the entire industry.
    Whiting
  • Arc GIS Ver. 8.3, Arc GIS Ver. 9.0, 9.1, 9.2, ERDAS Imagine Ver. 8.5, 8.6, 8.7. Photo Suit, Visual Basic 6.0, Visual basic. Net.
    anonymous