Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security

Highly Targeted Phishing From Salesforce.com Leak 72

Posted by kdawson from the no-more-drift-nets dept.
An anonymous reader writes "Salesforce.com has finally acknowledged what security experts have suspected for weeks: that a Salesforce.com employee had his company credentials stolen in a phishing scam, and criminals have been using names and e-mail addresses from Salesforce's customer list to conduct other highly targeted phishing attacks, including the recent round of fake e-mails apparently from the Federal Trade Commission." In such hightly targeted attacks, the AV companies are at a loss — they have little chance of quickly developing signatures for threats that only reach a few thousand victims.
This discussion has been archived. No new comments can be posted.

Highly Targeted Phishing From Salesforce.com Leak More

Highly Targeted Phishing From Salesforce.com Leak

Comments Filter:

  • the only option (Score:4, Interesting)

    by Lord Ender ( 156273 ) on Tuesday November 06, 2007 @05:59PM (#21259957) Homepage
    Because it is against human nature to be completely paranoid and skeptical of every email received, the only reliable way to fight this sort of thing is for everyone to digitally sign email messages through a reliable PKI hierarchy. Only when a federal regulatory body works with all the major email client producers (microsoft, google, etc.) would it be possible for such a thing to actually make it. Under "free market" forces, these companies do not have the incentive to cooperate.

  • Re:Screw antivirus, call law enforcement! (Score:4, Interesting)

    by gujo-odori ( 473191 ) on Tuesday November 06, 2007 @09:30PM (#21262039)
    They do. Federal law-enforcement is always present at, and typically presents at, APWG meetings (I work for an APWG member), and they do track this stuff, and when possible, make arrests. Among the problems they face are volume (there's so much of this stuff, and LE does not have unlimited resources), time (doing the investigation and compiling evidence is by its nature very painstaking work), and the fact that the perps are most commonly in Russia and other eastern European countries, making apprehension and prosecution far more difficult.

    They can't solve all the problems, or maybe even most of them, but they're doing what they can, and it's more than you'll read about on Slashdot. No matter how much resources the FBI and others throw at this problem, however, it will always remain mostly a problem of technology combined with user education.

    At the last APWG meet, in Pittsburgh, some researchers fron Carnegie-Mellon presented there findings of an anti-phishing game they wrote, the idea being that you can more effectively train users to not be phished by having them play a video game, rather than read some boring instructions from the IT department or watch a similarly boring video. Their test subjects showed real improvement Vs. a control group, and there has been considerable interest in the game.

    A preview version is here, for anyone interested:

    http://cups.cs.cmu.edu/antiphishing_phil/ [cmu.edu]

    License is CC-attribution-non-commercial.

    (I am not affiliated with CMU)

Slashdot Top Deals

You knew the job was dangerous when you took it, Fred. -- Superchicken

Close