Want to know why Symantec spent $350 million to acquire data loss prevention firm Vontu? Salesforce.com just found out why.
Salesforce.com is doing damage control after a gullible employee inadvertently revealed a customer contact list to a phisher, which has, in turn, allowed the scam artists to engage in targeted phishing attacks against Salesforce's customers.
In a letter sent to customers yesterday and posted on Salesforce.com's home page, Executive Vice President Parker Harris informed customers that a Salesforce.com employee had been the victim of a phishing scam that allowed a customer contact list to be copied.
The phisher got away with first and last names, company names, e-mail addresses, telephone numbers of Salesforce.com customers and related administrative data belonging to Salesforce.com.
The result is these customers have been receiving bogus e-mails that looked like Salesforce.com invoices, but are not. These are what some security experts refer to as "spear phishing," since they are targeted at a specific victim. Salesforce.com did not say who the targets are, but the Washington Post reports that SunTrust Bank and Automatic Data Processing (ADP), one of the nation's largest payroll and tax services providers, are among the targets.
In his letter, Harris said "a very small number" of customers who were contacted by the spear phishers revealed their Salesforce.com passwords to the phisher. He also said that in recent days, a new wave of phishing attempts that included attached malware files, like key loggers, was being aimed at a broader group of customers.
Chenxi Wang, principal analyst for security and risk management at Forrester Research, said this threat will only increase. "Phishers are getting more sophisticated: their attacks have gotten a lot more targeted than the old days, where phishing was typically more random and ad-hoc," he said in an e-mailed comment to InternetNews.com. "Targeted phishing attacks promise more return profit. I anticipate that well see more targeted phishing attacks in the future."
Salesforce.com is taking a number of steps to address the problem, including monitoring and analyzing logs to alerts to customers who have been affected, consulting with security vendors, going after fraudulent sites, reinforcing security education and tightening access policies within Salesforce.com and evaluating new security technologies.