« Electronic Jihad? | Main | Privacy Problems with Social Networks »

The news about Salesforce.com's phishing incident broke almost 2 weeks ago on Slashdot...although there were rumors swirling about for a number of days prior to the report. A Salesforce employee fell victim to a phishing attack that captured his company credentials. The attackers used those credentials to harvest customer contact data and began to send phishing attacks to customers, in the form of fake Salesforce invoices. As you might expect some number of customers fell for the scam and yielded their Salesforce account info.

There are a few interesting implications of this phishing attack, none of which pertain specifically to what Salesforce should or could have done.

Implication #1 - this kind of targeted phishing or "spear phishing" is difficult to monitor and eliminate. When a specific target is singled out, the attack tends to proceed undetected for a while before it becomes evident. No specific remedies or signatures are available to address them.

Implication #2 - until now, most highly phishing attacks have been targeted at financial institutions and consumers. Relatively recent examples include the Bank of America "change of email" scam and ADP.
Not surprisingly, SaaS providers may now be next on the list. Although, the value of the information to scammers may not be apparent, it is likely that phishing attacks against SaaS applications that hold identity and proprietary info will be on the rise.

Implication #3 - phishing is only the starting point for the attack. In the Salesforce incident, it was uncovered that some of the customers who were effectively phished, also had keyloggers and other malware downloaded onto their machines. From the Salesforce letter sent to customers -

"...As a result of this, a small number of our customers began receiving bogus emails that looked like salesforce.com invoices, but were not--they were also phishes. Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher... However, a few days ago a new wave of phishing attempts that included attached malware--software that secretly installs viruses or key loggers--appeared and seemed to be targeted at a broader group of customers."

Not a lot of good news there. The point is that in this new Web 2.0, Saas enabled world, there is a Long Tail to this phishing problem...targeted, sophisticated attacks cannot be tackled by simply preaching "security awareness". Nor it is enough to use signature based phishing detection techniques. We need a different approach.

Posted by andreyee in Industry Trends • Privacy/Information Theft • web 2.0 |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2889