By Tom Espiner
07 Nov 2007
Salesforce.com is refusing to reveal details of a security breach caused
when one of its employees surrendered their password in a phishing
attack against the company.
Details of Salesforce.com's customers were stolen as a result of the
password being surrended, the CRM services company admitted to customers
But, when contacted by ZDNet.co.uk, the company refused to say whether
any UK customers had been affected, whether any financial damage had
occurred, and whether any disciplinary action had been taken against any
employees as a result of the security incident. It offered no other
comment on the matter.
Salesforce.com first noticed a possible security breach when it saw a
rise in phishing attacks directed against customers "a couple of months
ago". Upon investigation, the company found that one of its employees
had been "tricked" into disclosing a password, allowing a customer list
to be stolen, according to Monday's letter, which was sent to customers
by executive vice president of technology Parker Harris.
"We learned that a Salesforce.com employee had been the victim of a
phishing scam that allowed a Salesforce.com customer contact list to be
copied," wrote Harris. "To be clear, a phisher tricked someone into
disclosing a password, but this intrusion did not stem from a security
flaw in our application or database."
The information in the contact list included individuals' names, company
names, email addresses, telephone numbers of Salesforce.com customers
and "related administrative data belonging to Salesforce.com", said
Once the phishers had the contact list, they attempted to phish
Salesforce.com customers. "Unfortunately, a very small number of our
customers who were contacted had end users that revealed their passwords
to the phisher," wrote Harris.
The domino effect continued. Not content with the security breaches
already achieved, the phishers began to target Salesforce.com customers
with malware. "A few days ago a new wave of phishing attempts that
included attached malware software that secretly installs viruses or
keyloggers appeared and seemed to be targeted at a broader group of
customers," wrote Harris, who added that this fresh wave of attacks was
what prompted Salesforce.com to publish the security letter.
Salesforce.com said it had been working with the group of affected
customers "to enhance their security", and with law enforcement and
industry experts to trace what had happened. It said it was monitoring
and analysing logs to be able to alert customers who have been, or could
still be, affected by the incident, and that it was "reinforcing
[employee] security education, and tightening access policies within
Harris's letter recommended that customers activate IP address
restrictions so users can only access Salesforce.com from the corporate
network or VPN, educate employees about phishing, and deploy email
filtering and anti-malware software. Customers should also designate a
security contact to liaise with Salesforce.com, consider using
two-factor authentication, and attend a security webinar on 8 November
on Salesforce.com's website.
Mark Sunner, chief technology officer for email-filtering company
MessageLabs, claimed that Salesforce.com had "had an issue with the
message filtering", and an issue with disseminating security information
to employees. He recommended companies use a mixture of education and
technical means to mitigate corporate data-theft phishing attacks.
"Employees have to be very sceptical about any requests for information
over email, IM or telephone," said Sunner. "You have to have message
filtering, but also educate people that this bad stuff is out there."
Sunner added that users need to be aware that posts on social-networking
sites such as Facebook could be used by phishers to harvest information.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com