Targeted Phishing from Salesforce.com Leak

From Slashdot:

Salesforce.com has finally acknowledged what security experts have suspected for weeks: that a Salesforce.com employee had his company credentials stolen in a phishing scam, and criminals have been using names and e-mail addresses from Salesforce's customer list to conduct other highly targeted phishing attacks, including the recent round of fake e-mails apparently from the Federal Trade Commission." In such hightly targeted attacks, the AV companies are at a loss -- they have little chance of quickly developing signatures for threats that only reach a few thousand victims.

Posted on November 8, 2007 at 7:33 AM • 24 Comments

Comments

FPNovember 8, 2007 8:49 AM

It "resulted from one of its own employees falling for a phishing scam and turning over the keys to the company's customer database."

That doesn't sound like your regular run of the mill phishing scam asking for your online banking account information. Was that scam specifically aimed at Salesforce employees? Did it use insider information?

Another option is that the employee simply sold his login information to the phishers. We already know that many users reveal their passwords for a chocolate bar. How much would give you access to their company's databases for a suitcase full of cash?

Matt from CTNovember 8, 2007 8:51 AM

Map companies have long put minor mistakes on their maps -- perhaps mis-spelling a road slightly here (Wood Rd. v. Woods Rd.), adding an extra street to a subdivision called Rand-McNally Way.

The purpose being to demonstrate when a competitor copied their map (data). The small "mistakes" add up to a watermark in plain sight.

Makes me wonder if a similiar approach shouldn't be used when sharing large sets of data -- creating an account specifically used to detect breaches and identify which database was breached.

johnNovember 8, 2007 9:02 AM

It's really a very old technique. Publishers of data such as logarithm, triganometric and tide tables used to make a few deliberate errors in the least significant figures to enable them to detect copyists.

billswiftNovember 8, 2007 9:12 AM

Tables of information, phone listings, and so forth are not protected by copyright, as they are not creative works.

John LevineNovember 8, 2007 9:32 AM

So called "spear phishing" is not a new threat. I heard reports of it at a meeting of bank security officers at least three years ago.

If you think about it, the risks and rewards of targeted phishes, particularly if you know something about the targets, are much better than the random trolling we usually see. For example, if you can get account info of foreigners with large deposits in a US bank, and send them a phish that starts "the IRS has asked us a few questions about your account", consider both the likelihood of response and also of complaints.

Couldn't... resist... the... urge....November 8, 2007 9:36 AM

"Social Engineering: Because there is no patch for human stupidity"

Here, in the UK, the Labour party is well on track to attempt to create a patch for human stupidity.
Or at least what they perceive to be so. Protecting people from their own stupidity. Or just from their plain, informed or not, choice.

Now, we just need a patch for the Labour party :/

Simon_CNovember 8, 2007 9:37 AM

@billswift

Depends on your juristriction

In the UK and I think the EU the collection *is*
copywritable even if the data it is made up from is public domain.

jayhNovember 8, 2007 9:50 AM

The knee jerk reaction to this type of problem is tighten security, talk about 'educating users', etc.

The problem is, like in the case of auto accidents, security leaks can be reduced, but will not be eliminated, even with draconian measures. People will make mistakes, people will be fooled. Rather than expecting to be able to achieve zero leakage, we need to take a lesson from the highway safety folks. Try to minimize the damage that a leak can do, and try to build a legal and insurance system that deals with correcting the damage done rather than merely assign blame.

ElaineNovember 8, 2007 12:19 PM

@Matt from CT: My best friend signed up for a magazine using a variant of her name, one that she never uses. (She has a longish and common name.) She was then able to track pretty well who the magazine had sold her information to...because the junk mail always came with that variant of her name.

Billy the SquidNovember 8, 2007 12:57 PM

The book "Database Nation" reports that someone used a variant of their name to track data propagation - but a court ruled that they did not own the variant of their name so perhaps a minor address variant would have been preferable.

I have a fictitious relative who gets mail from various places as a result of appearing in a survey on an airtours flight in 2003.

AnonymousNovember 8, 2007 1:16 PM

@billswift, even if the tables are just collections would the errors inserted not be creative and thus subject to copyright?

JakeSNovember 8, 2007 1:23 PM

Part of the scam apparently involved installing a key-logger and remote access tool. Would that have been prevented if the victim used a non-privileged account so that software could not be installed covertly?

Pat CahalanNovember 8, 2007 1:55 PM

@ Elaine

> My best friend signed up for a magazine using a variant of her name, one that
> she never uses. (She has a longish and common name.) She was then able to
> track pretty well who the magazine had sold her information to...because the
> junk mail always came with that variant of her name.

That's been a long-established trick that unfortunately is losing ground on the electronic mail side; depending upon your email service, you can append character strings on the end of your username and sort your mail accordingly (using "-" or "+", commonly).

You wind up with something like:
username-yahoo@domain.tld
username-nytimes@domain.tld
username-paypal@domain.tld
etc.

all delivering to username@domain.tld, but you can see which address is being used.

thadiusNovember 8, 2007 7:01 PM

I create a unique email address for each business I deal with. For example, when asked to type in an address for companyA I give:

companyA+my last name@mydomain

This way is can detect selling of the address. I've done this for years but I'm thinking of giving up for two reasons:

1. No legitimate business has ever resold the address. They have send unwanted email but no case of mailing list selling has happened.

2. It is very expensive to spam filter on a domain which accepts email from any random string@domain.

Has anyone else experimented with this strategy?

Scott KeszlerNovember 8, 2007 9:30 PM

thadius:

I use the same strategy - unique email address per business - but instead of setting my domain's mailserver to accept any random email address I create an alias pointing to my primary email address. My /etc/mail/aliases file currently holds 372 aliases pointing to my primary address, and a few dozen more pointing to other email addresses. Sendmail is easily handling the 400+ aliases.

My results have been similar to yours: legitimate companies almost never sell or otherwise lose control of their mailing lists.

SteveJNovember 9, 2007 6:07 AM

@thadius:

Me too, with similar results. Addresses that I put on my website always start getting spammed eventually, but it takes quite a long time (presumably because my site is incredibly low traffic). For addresses that I use with legit businesses, I can pretty much always stop all mail by following unsubscribe instructions.

Addresses provided for "competitions", "special offers" etc sometimes get spammed briefly, but it usually goes away. In something like 3 years I've only had to killfile one address (of those I've invented myself) due to persistent spamming.

The main problem I've found with accepting everything to my domain is that spammers try to guess addresses - "root", "guest", "home", "info", "sales", "accounts", "3" (!?). And the only reason I'm still blocking those individually is because there haven't been enough of them yet (about 20 total) for me to bother switching from blacklisting to whitelisting.

One thing I've been very surprised by is how little spam I get to the email addresses on my PGP keys. Maybe harvesting keyservers is a good way to provoke counter-attacks from elite hackers (as opposed to l33t haxxors)...

So, I suspect that in most cases, spam only happens when you publish your email address. Companies that I do business with, and websites I create accounts on, don't sell my addresses to spammers.

Accepting all addresses doesn't affect my spam filtering - SpamAssassin does the same job on the machine hosting my email, regardless of how many addresses exim accepts ;-)

You might be able to cut your costs by only using expensive professional filtering on the smaller number of addresses you publish to the world, and sticking to cheap/free filtering for the myriad addresses you create for limited audiences.

JakeSNovember 9, 2007 8:45 AM

If you're operating your own domain, then as SteveJ says, spam only happens when you publish your email address, apart from the obvious names like info or postmaster. However, "publish" may include "tell your friends". One of the many chain e-mails that are going round, saying something like "forward this to as many people as you can and we'll donate 5c to this little child's cancer fund", says "copy this address so we know you've done it". Ha. One of my stupider friends forwarded this one, and spam started coming the next day.

Alternatively, your service provider may be hacked and/or its information stolen. That has happened in several cases, notably Hotmail (they admitted it). And recently I had occasion to register a Yahoo account; within a few hours it was being spammed, before I'd published the address anywhere at all.

Josh WhitingNovember 9, 2007 9:26 AM

It is about time Salesforce admitted the issue, if there were thoughts of this weeks ago they should have taken immediate action to ensure the safety of their clients data, even though this is a company nightmare if they took immediate steps towards a resolution perhaps some information received from individual clients may have been saved, this makes you wonder who your companies data is safe with, other CRM vendors such as Netsuite and Salesboom.com may be a safer bet for your company.

antibozoNovember 9, 2007 12:04 PM

Regarding maintaining a distinct email address for each business (which I do as well), two comments:

1. I've had addresses escape from companies before. A notable case was when I registered with gradfinder.com using a distinct address and some months later started receiving pr0n spam at that address.

2. The common email-borne worm tactic of scraping the address book for target addresses helps to publicize addresses that might otherwise remain secret.

DBHNovember 10, 2007 7:34 AM

Yahoo offers a similar service, customized email addresses, and some course control over whether they will send or just receive, and can be turned off. Then, once loaded into my client I can filter and manage more discretely, for those of us not running mail domains.

This issue has been the one concern I"ve had with 'renting' software; especially if the data resides remotely. It strikes me that if Salesforce employee creds give wide access to user databases, this is a problem.

bobNovember 12, 2007 10:24 AM

I have traditionally put "canary traps" (as Tom Clancy calls watermarking in his CIA world) in my home mailing address by using a fictitious serial apartment/suite number (I live in a single family dwelling, no apartment numbers) so I can keep track of which source sold my info to whom. Then when they call me to donate/buy more stuff I can tell them to use the revenue they got from selling my name.

CRM ExpertNovember 12, 2007 11:56 AM

If you use Salesforce.com, a company called OutProtect (www.outprotect.com) has a product that secures your downloaded data. The product stops authorized users (or people who have phished and stolen a valid ID/password) from removing Salesforce data without your knowing about it. These attacks are happening no matter what CRM you use, so OutProtect is a pretty cool way to lock down your info from walking out the door.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..