Salesforce.com targetted again!
Posted by: Andy Alsop in Breaches, Cybercrime, tags: Cybercrime, Malware, salesforce.comPoor Salesforce.com.
They continue to be under attack by phishing scams. As a customer I have been satisfied with their responsiveness and continue to root for them. My first sighting of the last Salesforce.com attack popped up my ZDNet.com RSS Feed on 11/06/07. The same day I received an email from Salesforce.com explaining what had happened and what they were doing about it. They offered a surprising level of transparency which, in my mind, showed courage and confidence based on their timely disclosure. Over the intervening days changes were implemented that were mildly inconvenient to the user yet improved the security of the Salesforce.com installation (and more importantly our data).
Once again, yesterday (Tuesday, 1/8/08) I received another email from the company saying that Salesforce.com had been hit again and this time I haven’t seen it in the press…another testament to transparency and full disclosure. Here is the first part of the email.
Dear Salesforce.com Customer,
Please be advised that there is a new malicious phishing email being circulated that is attempting to mimic the Salesforce Identity Confirmation feature.
What does this phishing email look like?
This goal of this malware is to attempt to collect user passwords to online systems, including banks, credit agencies, and salesforce.com. It does this using an email attachment that contains malicious software intended to compromise your PC. Known attachments have been variously named either form.zip or UpdateIElink.zip, but other names may exist.
The surprising thing is the sophistication of the latest phishing attacks and the tactics they are using. My partner Ben pointed out the escalating sophistication of Malware in his post Malware morphing at alarming speeds. You’ll see that not only is the attack on Salesforce.com a traditional phishing scam where it attempts to dupe the recipient but it uses a trojan that does more than just steal your username, password or credit card information on a fake web site - it’s going after everything it can on your computer that you might be linked to financially!
Kudo’s to Salesforce.com for their disclosure and transparency and watch out because the phishing, malware and virus authors are all getting more aggressive and tenacious.
Entries (RSS)
January 17th, 2008 at 2:17 pm - Edit
What is the name of your company so I make sure to not do business with you!
How can you be so caviler about your customers data that is why SF was targeted they want your customer data. SaaS is dangrous because it’s weakest link is always the same the people and they are going to break no matter what you do.
OWN YOUR CUSTOMERS DATA DON’T LET SOME ELSE!
January 21st, 2008 at 2:20 pm - Edit
I remember back in the 80’s when everyone screamed “Ahhh! You’re going to put your money in that bank machine?!” Then in the 90’s everyone was saying “I can’t believe you’re putting your credit card into that web site!” Now it’s SaaS. I am sure it will be something else at some point. Yes, SaaS apps have been the target of attacks but in the case of Salesforce the attacks have been an effort to dupe human beings into giving away credentials and in this case it was successful. Crooks have been trying to do this in the real world for centuries. Did Salesforce sit back and just wave their hands saying it wasn’t a problem? No, they made changes to their system that stopped this from happening in the future. And they did it quickly.
Yes, our customer info is in Salesforce but we don’t put CC info or social security numbers or copies of their passwords into the system. I assume you do some banking online. Don’t those banks have far more sensitive data such as SS numbers, bank account numbers, etc?
January 22nd, 2008 at 12:28 pm - Edit
The main issue with SaaS (Software as a Service) systems is that the majority of them use the philosophy of collecting as much information about their customers as possible in order to sell it to other people (in the case that they need to for further revenues). Most collected and stored their data in plain text and in ways that would have made Credit Card companies flinch before the days of PCI. I remember one site that one could get to any other customers data by just getting a minimal paying account and then changing a tag in the post from one 5 letter ’string’ to another. And when the company went under.. all its data ‘disappeared’… except for the copy that was for sale on a cracker site in Russia.
I think that is the major reason for Reasonable Fear, Uncertainty and Doubt about this sort of data. Banking at ATM’s are somewhat regulated and controlled in ways that may not ‘completely’ protect the customer does raise the level of trust. The self-regulation of the PCI standards does the same for Credit Card data on websites.. until there is a similar set of government or industry regulations that have teeth.. I would seriously doubt putting confidential data blindly into SaaS.
Any SaaS company must be able to show in some clear and transparent way:
1) What it collects
2) What it stores and how?
3) What are the security mechanisms and methodologies you use to protect that data. (using the methodology that if you are protecting your customers information by obscurity.. you aren’t doing enough because the crackers just have to get someone hired in for a short time to make it ‘open’ to them).
4) How do you truly purge that data when asked to.
5) How else do you lower customer risk?
6) What are your general Incident Response Items from customer notification and cleanup to methodologies on trying to rectify and remediate found vulnerabilities.
7) What is a customers rights and responsibilites and what is the companies (in clear English that a high school student can understand).
January 22nd, 2008 at 12:50 pm - Edit
Stephen: Excellent comment. Thanks for posting!
I assume much like anything else in an unregulated industry there are varying degress of “abuse.” Some of the lesser known SaaS businesses can fly under the radar but isn’t there the potential that Salesforce.com’s entire business could be in jeopardy if it were to hit the wires that they were using customer data inappropriately or irresponsibly?
My assumption is that a competitor like SugarCRM or Sage CRM Solutions would just love to expose a company like Salesforce.com if they were collecting and using their customers - customers data in ways that would be obvious violations of even the most basic ethics (like selling names or brokering out confidential information). The NY Times would love to do a Sunday Business piece on that!