Salesforce.com phishing highlights security loophole

Salesforce.com, the on-demand software company, this week admitted it and its customers were targeted by cyber-criminals, prompting security experts to call for extra measures to track potentially risky online behaviour.

In an open letter to customers, the software-as-a-service market leader confirmed it had been the target of a phishing exercise designed to get its end-using customers to divulge sensitive financial information.

It said the compromise occurred when a Salesforce.com employee fell victim of a phishing scam that allowed a Salesforce.com customer contact list to be copied.

"As a result of this, a small number of our customers began receiving bogus emails that looked like salesforce.com invoices," it warned.

Tier-3, the behavioural analysis IT security software specialist took the opportunity of this latest and increasingly sophisticated tactic in the armoury of cyber-criminals coming to light to warn companies of the need to install behavioural analysis software on their systems.

Geoff Sweeney, Tier-3's chief technology officer said: "The fact that the emails are addressed to specific customers and purport to come from Salesforce.com means that the chances of a customer's PC being infected are quite high."

Although the tactic seemed new, he said it capitalised on a classic situation where popularly deployed security technologies can't be relied upon to protect organisations against these types of threats.

"If the companies concerned have real time behavioural analysis software installed on their systems, even if they open the bogus emails, any unauthorised interactions with their PC, including the installation of Trojans other malware and data leakage, could have been locked down," he added.

Email to a friend

Print this page

Social Bookmark this article: What is this?

Digg

Delicious

Reddit

StumbleUpon

Slashdot

Google

Facebook