Highly Targeted Phishing From Salesforce.com Leak 72
An anonymous reader writes "Salesforce.com has finally acknowledged what security experts have suspected for weeks: that a Salesforce.com employee had his company credentials stolen in a phishing scam, and criminals have been using names and e-mail addresses from Salesforce's customer list to conduct other highly targeted phishing attacks, including the recent round of fake e-mails apparently from the Federal Trade Commission." In such hightly targeted attacks, the AV companies are at a loss — they have little chance of quickly developing signatures for threats that only reach a few thousand victims.
It's not just targeted phishing... (Score:5, Funny)
Also, there's software (like Internet Explorer) that pretty much trains people to fall victim to "thin" social engineering attacks (by, for example, crying wolf hundreds of times a day). This means that these attacks work often enough that if you can target a few hundred people at a specific location you'll get one, and they happen often enough that it's not even suspicious for a few hundred people at a location to get a dialog box asking if they want to infect their computer now.
Antivirus software can't help.
Security is like sex.
Once you're penetrated you're fucked.
Re:the only option (Score:1, Funny)
Speak for yourself. I completely distrust every e-mail, and have never, ever clicked on an attachment to an e-mail. I've gotten hundreds of phishing scam e-mails... never fell for one.
When I was sysadmin at a large Fortune 500 company (back in the days of floppies), my policy was that if you got a virus, I had a box of floppy-locks and you got one for a week.... and had to get someone else to read your floppies and save work for you to take home or copy work from the floppy back to the network. Worked great -- sort of a scarlet letter. One person re-offended, and he lost all computer privileges for a week. We should figure out some way to brand a scarlet letter "D" for dumbass onto the foreheads of people that fall for phishing scams.
Re:ummm... what? (Score:5, Funny)
haha
You had me there. No really what is your solution to phishing?
Re: law enforcement! (Score:3, Funny)
e-mail address, details of the scam and gve them a link to a security website
that reported the scam.
The response I got was basically, "They're not doing anything illegal. If you send them money/info about you, that's your business."
In short, as far as law enforcement in Canada is concerned, if you're dumb enough to fall
for phising, tough luck. And I kind of agree with them. It doesn't lave me with a warm,
fuzzy feeling, but I agree. Phising scams are a sort of virtual survival of the fitest.
Re:It's not just targeted phishing... (Score:2, Funny)
Your mistake was in thinking that Microsoft was a Software Company.
They're nothing of the sort.
They are an Abuse Company that uses Software as the vehicle to deliver this abuse, as opposed to words, whips, and/or chains. >:-)