Highly Targeted Phishing From Salesforce.com Leak

An anonymous reader writes "Salesforce.com has finally acknowledged what security experts have suspected for weeks: that a Salesforce.com employee had his company credentials stolen in a phishing scam, and criminals have been using names and e-mail addresses from Salesforce's customer list to conduct other highly targeted phishing attacks, including the recent round of fake e-mails apparently from the Federal Trade Commission." In such hightly targeted attacks, the AV companies are at a loss — they have little chance of quickly developing signatures for threats that only reach a few thousand victims.

ummm... what?

[Anonymous Coward]

In such hightly targeted attacks, the AV companies are at a loss -- they have little chance of quickly developing signatures for threats that only reach a few thousand victims.

In other news, the auto-safety companies are at a loss with respect to fire safety violations in people's homes - they have little chance of quickly developing airbags for threats like leaving a cigarette burning and unattended.

Seriously, what do AV companies have to do with phishing scams? The proper counter-attack to phishing is user education, and proper security practices at various sites (e.g. banking sites not using email for official correspondence, not allowing info to leak, etc.). There are some technological tools that can help reduce the impact of phishing (e.g. toolbars that notify the user of suspicious activities) but ultimately this is an issue of user education...

...and I really have trouble understanding why AV companies should be the ones to come up with 'signatures' to detect this stuff...

Re:

[Iphtashu Fitz]

I think the post is implying that the phishing attack is using some sort of malware targeted at the individuals. Imagine you're not a security-conscious person and you get an e-mail with an attachment claiming to be from SalesForce.com. The e-mail looks exactly like the kind of e-mail that you're likely to get from them, and the attachment may actually include a Word document or something else that you're likely to get from them. Your virus scanner doesn't warn you that the attachment is a virus/worm/tro

Re:

[Suhas]

malware is malware whether it arrives as an attachment with a Salesforce.com email or from Jody hawking Viagra. A heuristic AV algorithm should find it and flag it as such.

Re:

[wud]

if you rtfa you'll see that the phishing scam was to download malware. so the AV companies would need to fend off the malware.

Re:

[wizardforce]

Seriously, what do AV companies have to do with phishing scams? The proper counter-attack to phishing is user education, and proper security practices at various sites

If the user population were sufficinetly educated, spyware, viruses, trojans and phishing wouldn't be nearly the problem it is today. Antivirus software is for defending after the fact- by the time it comes into play you've already lost. Notice that there are few if any AV companies that specialize in OSes that are not frequently targets of

Re:ummm... what?

[phantomcircuit]

"User education"

haha .... hahahahahaha.... HAHAHAHAHA

You had me there. No really what is your solution to phishing?

Re:

[Not_Wiggins]

...and I really have trouble understanding why AV companies should be the ones to come up with 'signatures' to detect this stuff...

Because when your only tool is a hammer, EVERYTHING is a nail.

Re:

[virtual_mps]

Seriously, what do AV companies have to do with phishing scams?
[snip] ...and I really have trouble understanding why AV companies should be the ones to come up with 'signatures' to detect this stuff...

Well, AV companies are the ones who sold people snakeoil^H^H^H^H^H^H^H^H security in a bottle. It's the AV companies who have built a business model around the message "give us money every year or you won't be 'secure'"; I think it's perfectly reasonable for people to ask them to deliver the "security" they were promised. I can't count the number of times I've seen a user with a malware infection give me a confused look and say "but I've got antivirus installed". The fact is that the AV companies do a real

the only option

[Lord Ender]

Because it is against human nature to be completely paranoid and skeptical of every email received, the only reliable way to fight this sort of thing is for everyone to digitally sign email messages through a reliable PKI hierarchy. Only when a federal regulatory body works with all the major email client producers (microsoft, google, etc.) would it be possible for such a thing to actually make it. Under "free market" forces, these companies do not have the incentive to cooperate.

Re:

[eneville]

but this is the sort of case that would work well, since it's a small group of people, perhaps the managers of a few companies could sign at a sales meeting? who knows what is convenient for them.

but, once a few of them are acquainted, it becomes a stronger web of trust, so mail could easily be verified.

but if the credentials were phished then i reckon it's not that hard to get the pri key.

Re:

[Lord Ender]

but if the credentials were phished then i reckon it's not that hard to get the pri key.

No. There is a big difference between knowing someone's email address and having system/root-level access on their PC (or better yet: physically stealing their smartcard).

So much money would be saved from fraud by issuing everyone smartcards (say, with their tax returns?) that such a system would pay for itself quickly. It is impossible to steal keys off of a smart card via a remote hack.

Re:

[eneville]

nice idea... i like it, but it's not going to appeal to everyone, as not every one has to fill it in... only certain people who are not on a visa and are over a given age. sufficient enough though to warrant use. what about making a huge key that lasts 10 years at birth? put the owners jpg in it and have the registry office sign it, might as well call it a passport (i don't know if the photo itself is signed in gnupg, should be).

Re:

[Lord Ender]

It could be issued with drivers' licenses. It doesn't have to have an expiration any shorter than a human lifespan, as long as a good revocation system is in place.

Re:

[eneville]

I think it does need a short life span, other wise there will be a ipv4/ipv6 phase to go through later on, give it a short life span so that incredible computers in the future cannot reverse the pri key.

Re:

[metachimp]

So, how does this protect joe dumbass from giving up his information voluntarily? If I need a smartcard to verify that it's me who is using the machine, then how does this prevent me from clicking through a phishing attempt and giving over my authority which has already been granted?. Am i to understand that none of us have root-level access to our own machines? Forget that. If anything, centrally issued smartcards would simply allow companies who might otherwise be on the hook for bad behavior to simpl

Re:

[cheater512]

Private keys are protected with far more secure methods than most other things.
Thats including credit cards and similar sensitive stuff like that.

Cacert.org keeps theirs on a secure box who's only connection to the net is a slow serial link.

Re:

[eneville]

the .pri is usually in the user's home directory... so a browser exploit could read that ... for that matter, any exploit in any software that the user can run, would normally run with the user's credentials, and thus be able to read it. it shouldn't have read access to anyone else in the department though... but it's still a possibility. so, use your pass phrases!

Re:

[Lord Ender]

Well, if I were given a $500M budget and were asked to implement it nationally, I would issue smart cards and legislate smart card readers come standard on typical desktop PCs (adding $3 per machine, I suppose).

And your wrong on another count. On windows, private keys can only be accessed directly by a user with System level access.

Re:

[eneville]

And your wrong on another count. On windows, private keys can only be accessed directly by a user with System level access. No that's a different key, what planet are you on? I'm talking about the gnupg system of pub/pri keys. If that you're saying is true, then my mail reader (when I have accessed mail from a windows box) would have to escalate to a system user, which it never did.

Re:

[Lord Ender]

GNUPG would not be a major concern on such a project, because the target audience would be primarily windows. Hardware-based smart cards would be the way to go.

Re:

[phantomcircuit]

Are you seriously saying that there should be an email system that can only verify the identity of windows users?

Re:

[Anonymous Coward]

Because it is against human nature to be completely paranoid and skeptical of every email received

Speak for yourself. I completely distrust every e-mail, and have never, ever clicked on an attachment to an e-mail. I've gotten hundreds of phishing scam e-mails... never fell for one.

When I was sysadmin at a large Fortune 500 company (back in the days of floppies), my policy was that if you got a virus, I had a box of floppy-locks and you got one for a week.... and had to get someone else to read your flop

Re:

[hostyle]

Yeah. Of course, on the other hand, everyone loves cleaning up the messes created by morons.

Re:

[Cheesey]

Could be worse... [iinet.net.au]

But I don't know if anyone, even the BOFH, would be immune to a sufficiently targeted attack. (Although naturally a targeted attack against the BOFH would be a fatal mistake...)

Re:

[crabpeople]

"[sic]Because it is against human nature to be completely paranoid and skeptical of every email received"

I guess im not human then. Homo sapiens sapiens paranoius?

Re:

[Lord Ender]

Randomly inserting "[sic]" while you type makes you homo ignoramus.

AV companies appropriate?

[morgan_greywolf]

Are AV companies even the appropriate resource for dealing with phishing scams? Why don't we just teach people some common sense or something? Phishing is a user education problem, not a problem to be attacked by antivirus tools.

Re:

[sjwest]

I think the article poster is saying that perhaps salesforce.com should pony up and pay the a/v firms to fix the problem being that it affects very few people.

Re:AV companies appropriate?

[bhima]

'cause if we actually could just "teach people some common sense or something" we would have long ago done so.

People are the way they are and no amount of you (or me) being smarter than the herd is going to change it.

Here's a suggestion

[Colin Smith]

Fire the people who are infected.
 

Re:

[Bill, Shooter of Bul]

It depends upon the type of phishing. The more traditional fraudulant email can't really be prevented, but there are several related attacks that are the domain of AV. They range from the more typical virus changing your HOSTS file, to more sophisticated attacks against your home router (changing your dns servers to a malicious one). With these you don't need an email. You can even type the name of the website int he address bar, but you'll go to the evil site anyways.

Its like I sometimes say when I feel

It's not just targeted phishing...

[argent]

If you know about a security hole in a product, and you write a program to attack it, and fire it off at a specific target, odds are poor that any antivirus software will catch it. And if it's a remote execute vulnerability, the target won't have a chance to avoid being phished, because it'll all happen automatically.

Also, there's software (like Internet Explorer) that pretty much trains people to fall victim to "thin" social engineering attacks (by, for example, crying wolf hundreds of times a day). This means that these attacks work often enough that if you can target a few hundred people at a specific location you'll get one, and they happen often enough that it's not even suspicious for a few hundred people at a location to get a dialog box asking if they want to infect their computer now.

Antivirus software can't help.

Security is like sex.

Once you're penetrated you're fucked.

Re:

[Sigma 7]

Also, there's software (like Internet Explorer) that pretty much trains people to fall victim to "thin" social engineering attacks (by, for example, crying wolf hundreds of times a day).

Crying wolf isn't the problem. Instead, the problem is crying wolf when you can properly handle the wolf without collateral damage.

For example, some Firefox configurations can be set to block popups from web plugins. However, the common method of setting privacy.popups.disable_from_plugins to 2 prevents you from opening any popup from a plugin even if you wanted to. The correct procedure is to record the URL that needs to be opened (as it does if Javascript tries a popup.) Because of this, Adblock is

Re:

[argent]

Crying wolf isn't the problem.

It sure is.

This isn't just phishing I'm talking about, this is a remote execution attack that works because the user is trained to answer "yes" when they see a security dialog.

If your software is asking the user "Do you want me to do (dangerous thing)?" often enough that the user is conditioned to respond in the affirmative, that's a problem. Internet Explorer should have had every single capability related to the one that Gator used removed from the browser in 1997. In fact, I

Re:

[Svartalf]

Boy was I naive.

Your mistake was in thinking that Microsoft was a Software Company.

They're nothing of the sort.

They are an Abuse Company that uses Software as the vehicle to deliver this abuse, as opposed to words, whips, and/or chains. >:-)

Screw antivirus, call law enforcement!

[necro2607]

Like the title of this post says - screw antivirus software, call appropriate law enforcement agencies when you get these phishing attempts!

Re: law enforcement!

[Anonymous Coward]

I did this once. I reported the phising scam e-mails, provided them with the
e-mail address, details of the scam and gve them a link to a security website
that reported the scam.

The response I got was basically, "They're not doing anything illegal. If you send them money/info about you, that's your business."

In short, as far as law enforcement in Canada is concerned, if you're dumb enough to fall
for phising, tough luck. And I kind of agree with them. It doesn't lave me with a warm,
fuzzy feeling, but I agree.

Re:

[necro2607]

While I haven't reported phishing specifically, I've reported spam (both of which are unsolicited emails, by the way, with phishing actually being notably more harmful), and gotten a response nearly every time that the issue will be pursued (although in these cases I contacted the ISPs that owned the IPs that were sending out emails, and this was in the late 90s where the net wasn't full of millions of zombified PCs so it was easier for ISPs to pursue).

Either way, sure, I imagine a lot of the time you'll ge

Re:

[Blackknight]

As if they care.

Re:Screw antivirus, call law enforcement!

[gujo-odori]

They do. Federal law-enforcement is always present at, and typically presents at, APWG meetings (I work for an APWG member), and they do track this stuff, and when possible, make arrests. Among the problems they face are volume (there's so much of this stuff, and LE does not have unlimited resources), time (doing the investigation and compiling evidence is by its nature very painstaking work), and the fact that the perps are most commonly in Russia and other eastern European countries, making apprehension and prosecution far more difficult.

They can't solve all the problems, or maybe even most of them, but they're doing what they can, and it's more than you'll read about on Slashdot. No matter how much resources the FBI and others throw at this problem, however, it will always remain mostly a problem of technology combined with user education.

At the last APWG meet, in Pittsburgh, some researchers fron Carnegie-Mellon presented there findings of an anti-phishing game they wrote, the idea being that you can more effectively train users to not be phished by having them play a video game, rather than read some boring instructions from the IT department or watch a similarly boring video. Their test subjects showed real improvement Vs. a control group, and there has been considerable interest in the game.

A preview version is here, for anyone interested:

http://cups.cs.cmu.edu/antiphishing_phil/ [cmu.edu]

License is CC-attribution-non-commercial.

(I am not affiliated with CMU)

Re:

[necro2607]

Thanks for posting something informative & interesting as opposed to the rhetorical "who cares" bullshit other people were posting in response. :)

When technology is not the answer

[DFDumont]

Not everything can be addressed through technology. This is such a case. Note that the original error was with a human being that chose to be duped by a phishing expedition. In most of the cases the fatal flaw in any data security design is the people who run it.
My point is simply this. Training hours spent with each employee about how to recognize and respond correctly to online threats would have been a more effective and likely cheaper alternative to whatever their last security initiative was. Conversely testing or "job skill validation" that prevents people likely to do stupid things from getting enough clearance to have an email address on the corporate server - would also be effective.
The problem with modern operating systems is that they allow people to think they know how to run a computer. Vista says, "Shall I allow trojan.exe to run?" User says to self, "Self, I have no clue what that is, so I better let it run."
Anyone else see a problem with leaving immediate security questions to be answered by the person who happens to be at the keyboard?
IMHO Technology is not and should not be thought of as, the solution to all problems.
Dennis Dumont

Re:

[value_added]

The problem with modern operating systems is that they allow people to think they know how to run a computer. Vista says, "Shall I allow trojan.exe to run?" User says to self, "Self, I have no clue what that is, so I better let it run."

I think that's a fair representation of the current state of affairs. Moreover, it pretty much sums up the beginning, middle and end of most malware issues. From the article:

Recipients running Microsoft Windows who clicked on the attachment in the bogus FTC e-mail were warn

Were web-based services ever the answer?

[Anonymous Brave Guy]

Not everything can be addressed through technology. This is such a case. Note that the original error was with a human being that chose to be duped by a phishing expedition.

True, but this story appears to have started with an employee of an outside service, salesforce.com, succumbing to phishing.

While you can't entirely beat sociological threats through technological defences, this case doesn't exactly support the standard software-as-a-service provider's argument that by outsourcing your data handling to them, you are avoiding the complexity and problems of doing it yourself. What next, confidential planning documents from a company using one of the web-based office suites get leaked after the office suite business gets tricked? There is a lesson to be learned here.

Technological solutions and behavioral problems

[DragonHawk]

Not everything can be addressed through technology. This is such a case.

Indeed. This was a people problem, through and through.

I note that, in their list of things SalesForce.com says they are doing to make sure it doesn't happen again, conspicuously absent is anything to do with people.

"There are seldom good technological solutions to behavioral problems." -- Ed Crowley

Re:

[Tim C]

Anyone else see a problem with leaving immediate security questions to be answered by the person who happens to be at the keyboard?

Yes I do, but the alternative is to whitelist the applications that are allowed to run and disallow everything else. That may work fine in the corporate environment, but it would fail utterly in the home environment where the user is the admin.

Monoculture

[Colin Smith]

....Actually I can't be bothered.
 

So, if bogus sales are transacted, then would

[davidsyes]

these be ...

SALESFORCED?

Re:

[IHC Navistar]

Take your crappy sales pitch somewhere else. It's not wanted here.

Re:

[Chas]

"It's not wanted here."

Since the person was asking about CRM solutions (even if the original question was off-topic), evidently it was.

And if that qualifies as a sales pitch, something is wrong.

I'm a technician, not a sales guy. I, personally, don't give a shit WHAT he winds up with.

So take your crappy attitude somewhere else. It's not wanted here.

Re:

[Chas]

"Goldmine is a relic from the past."

Ah. Starting with an attach, instead of delineating real problems. Good form!

"Not even their latest version saves it from looking like a modern application with last decades technology under the hood."

What is the "latest version" you're on?

"My company forces its upon everyone here and they hate it with a passion."

Great. Bandwagoning.

If you're an Outlook-head, I can see why you might not like it. The fact is, it's much easier to network and maintain than Outlook is. I

SugarCRM

[MrKaos]

I recently did an comparison between Salseforce and SugarCRM [sugarcrm.com] and found Sugar was surprising good in comparison to SF. Plus you have the option of hosting the application in house thus avoiding a 3rd party handling your company data, or being on list of third parties that could be subject to these sorts of scams.

Re:

[MrKaos]

How is this OT if I am pointing out an open source alternative to SF (i.e this is not an advertisment) that by-passes the possibility of phishing for data?

Moderation without investigation is frustration - maybe some safes force people are scared that people will spread the word that there is a free alternative to their product that doesn't own your business data or charge you for the priveledge of accessing it.

Did I say suprisingly good in comparison, let me rephrase that...

SugarCRM KICKS SALESFORCE ASS

Re:

[MrKaos]

And just to prove that freedom of speech is more important than Salesforce shills let me just say again ....

SugarCRM KICKS SALESFORCE ASS

because it will be interesting if I get modded down again, just for saying...

SugarCRM KICKS SALESFORCE ASS

But I can always just continue to re-post the same comment.

Disclaimer: I am in no way associated with SugarCRM in any way!

This is incredible

[MagicBox]

Yes, we were a victim. SalesForce has been extremely, I mean extremely unprofessional and tight lipped about this incident. In an emergency meeting we had with them, they did claim that the data breach had originally happened in March of this year, yet we were never notified about it so we can put procedures in place and educate our users. We only knew when one of our users "logged in" to the phishing site. Unfortunately the crooks got to the data before we could change the password (within 5 minutes), but we were lucky that nothing "confidential" was downloaded. Regardless, when we called Salesforce, initially they told us that they cannot even share more info other than telling us to change our passwords. Then more emails started coming posing at Bank sites etc. We had to go to some incredible lengths to engage the SalesForce people to admit fault and advise on how to proceed in protecting the people. Still, they were less than helpful or they seemed incompetent to do so.

Bottom line is, how can you keep such breach a secret for 7 months without telling your clients at the very least? I have yet to receive an email from them about this. No correspondence has happened between them and us.

Oh, and the SalesForce "security" person was saying that the law enforcement has found where the phisher is located and that "if they have not aprehended him already, they will soon do so".... Whatever. BS.