« Yahoo Mugging Continues On Its Own Blog | Main | Law Prof: New Facebook Ad System May Be Illegal »
November 8, 2007
Salesforce Phishing Attacks Raise a Question of Emphasis
Salesforce.com Scrambles To Halt Phishing Attacks:
"Salesforce.com is doing damage control after a gullible employee inadvertently revealed a customer contact list to a phisher, which has, in turn, allowed the scam artists to engage in targeted phishing attacks against Salesforce's customers.
"In a letter sent to customers yesterday and posted on Salesforce.com's home page, Executive Vice President Parker Harris informed customers that a Salesforce.com employee had been the victim of a phishing scam that allowed a customer contact list to be copied.
"'To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database,' he wrote. User gullibility is most often the cause of such breaches and, apparently, was the case here as well.
"The phisher got away with first and last names, company names, e-mail addresses, telephone numbers of Salesforce.com customers and related administrative data belonging to Salesforce.com.
"The result is these customers have been receiving bogus e-mails that looked like Salesforce.com invoices, but are not. These are what some security experts refer to as 'spear phishing,' since they are targeted at a specific victim. Salesforce.com did not say who the targets are, but the Washington Post reports that SunTrust Bank and Automatic Data Processing (ADP), one of the nation's largest payroll and tax services providers, are among the targets."
One wonders what "related administrative data" is, but now that we've got the nut of it, let's circle back to the emphasis Salesforce.com would like to place on the incident:
"'To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database,' [Salesforce Executive VP Parker Harris] wrote."
If I were a Salesforce customer, I'd be more relieved if the data compromise had happened because of a bug. You can patch a bug or tell people what they need to do to remediate it while a patch is engineered. It's a lot harder to patch "gullibility."
Tags: phishing, security, salesforce
Posted by mhall at 2:49 PM | Add Comment
Leave a comment