Highly Targeted Phishing From Salesforce.com Leak

An anonymous reader writes "Salesforce.com has finally acknowledged what security experts have suspected for weeks: that a Salesforce.com employee had his company credentials stolen in a phishing scam, and criminals have been using names and e-mail addresses from Salesforce's customer list to conduct other highly targeted phishing attacks, including the recent round of fake e-mails apparently from the Federal Trade Commission." In such hightly targeted attacks, the AV companies are at a loss — they have little chance of quickly developing signatures for threats that only reach a few thousand victims.

It's not just targeted phishing...

[argent]

If you know about a security hole in a product, and you write a program to attack it, and fire it off at a specific target, odds are poor that any antivirus software will catch it. And if it's a remote execute vulnerability, the target won't have a chance to avoid being phished, because it'll all happen automatically.

Also, there's software (like Internet Explorer) that pretty much trains people to fall victim to "thin" social engineering attacks (by, for example, crying wolf hundreds of times a day). This means that these attacks work often enough that if you can target a few hundred people at a specific location you'll get one, and they happen often enough that it's not even suspicious for a few hundred people at a location to get a dialog box asking if they want to infect their computer now.

Antivirus software can't help.

Security is like sex.

Once you're penetrated you're fucked.

Re:the only option

[Anonymous Coward]

Because it is against human nature to be completely paranoid and skeptical of every email received

Speak for yourself. I completely distrust every e-mail, and have never, ever clicked on an attachment to an e-mail. I've gotten hundreds of phishing scam e-mails... never fell for one.

When I was sysadmin at a large Fortune 500 company (back in the days of floppies), my policy was that if you got a virus, I had a box of floppy-locks and you got one for a week.... and had to get someone else to read your floppies and save work for you to take home or copy work from the floppy back to the network. Worked great -- sort of a scarlet letter. One person re-offended, and he lost all computer privileges for a week. We should figure out some way to brand a scarlet letter "D" for dumbass onto the foreheads of people that fall for phishing scams.

Re:ummm... what?

[phantomcircuit]

"User education"

haha .... hahahahahaha.... HAHAHAHAHA

You had me there. No really what is your solution to phishing?

Re: law enforcement!

[Anonymous Coward]

I did this once. I reported the phising scam e-mails, provided them with the
e-mail address, details of the scam and gve them a link to a security website
that reported the scam.

The response I got was basically, "They're not doing anything illegal. If you send them money/info about you, that's your business."

In short, as far as law enforcement in Canada is concerned, if you're dumb enough to fall
for phising, tough luck. And I kind of agree with them. It doesn't lave me with a warm,
fuzzy feeling, but I agree. Phising scams are a sort of virtual survival of the fitest.

Re:It's not just targeted phishing...

[Svartalf]

Boy was I naive.

Your mistake was in thinking that Microsoft was a Software Company.

They're nothing of the sort.

They are an Abuse Company that uses Software as the vehicle to deliver this abuse, as opposed to words, whips, and/or chains. >:-)