Home > CRM News > Salesforce.com, customers hit with phishing attack
CRM News:
EMAIL THIS LICENSING & REPRINTS

Salesforce.com, customers hit with phishing attack

By Barney Beal, News Director
06 Nov 2007 | SearchCRM.com

News on CRM trends and technology
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Salesforce.com is warning customers to beware of a phishing scam targeting its customers with bogus invoices and attached malware.

In an email sent Monday, the San Francisco-based on-demand CRM provider said a Salesforce.com employee had been tricked into disclosing a password and allowed a customer contact list to be copied.

"To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database," Salesforce.com said in the email and in a statement posted on its trust.com website. "Information in the contact list included first and last names, company names, email addresses, telephone numbers of Salesforce.com customers, and related administrative data belonging to Salesforce.com."

Salesforce.com declined further comment.

According to the statement, a small number of Salesforce.com customers' end users also revealed their passwords as a result of the attack, and Salesforce.com is working with them and law enforcement to trace what occurred and prevent further attacks.

Salesforce.com was prompted to warn customers after another attack.

"However, a few days ago a new wave of phishing attempts that included attached malware -- software that secretly installs viruses or key loggers -- appeared and seemed to be targeted at a broader group of customers," the statement read. "That's why we warned our system administrators last week of this new, more malicious phish and why we are sending this letter now with the goal of increasing awareness."

On-demand software has largely cleared the security hurdle because organizations have realized that the providers' security efforts were often stronger than what they had in place themselves, according to experts.

The providers' security efforts gained more credibility when large institutions like Automatic Data Processing Inc. (ADP) and SunTrust Banks began adopting the on-demand model. However, both ADP and SunTrust, which are frequently cited by Salesforce.com as customer wins in press releases and promotional material, were recently victimized by a "series of highly targeted phishing scams," according to The Washington Post's Security Fix blog. A SunTrust executive alleged that scammers got their Suntrust customer list from Salesforce.com.

"This is something that was going to happen to a Software as a Service provider at some point," said Rob Bois, analyst with Boston-based AMR Research. "This isn't unique to one company, or Software as a Service for that matter."

The problem wasn't a software or firewall-related issue, but a process problem, said Sheryl Kingstone, program manager for customer-centric strategies at the Boston-based Yankee Group.

"Sometimes, when you're a large, public company, you're going to be the target of these," Kingstone said. "The sad news is a lot of companies aren't prepared for it."

The more successful Salesforce.com became, the more likely it was to become a target of phishers, Bois said.

"This is something that Microsoft has had to deal with all along, being the big dog out there," he said. "They're going to go after whoever the big, prominent vendor in the market is. Salesforce.com has become the Microsoft of Software as a Service."

Salesforce.com phishing tips

In its statement, Salesforce.com said it is actively analyzing and monitoring its logs to alert customers who have been affected, executing "takedown" strategies on fraudulent sites, reinforcing its security education and tightening access policies at the company.

It recommends that customers modify their active IP range restrictions, which will allow users to access Salesforce only from the corporate network or VPN; educate employees not to open suspect emails; and be vigilant against phishing attempts. The company says it's important to deploy spam filtering and malware protection, designate a security contact within the organization for Salesforce.com to communicate with, and consider using two-factor authentication techniques.

Salesforce.com will also be hosting an educational Webinar on Thursday.



Tags: SaaS market trendsSaaS and CRM on demand vendorsEvaluating SaaS and CRM on demand softwareVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google




CRM Solutions from SearchCRM, White Papers, CRM Expert Advice, CRM News

CRM Research Center
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2000 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts