Salesforce.com Responds To Phishing Scams
Earlier this week, Web-based CRM software provider Salesforce.com issued a letter on its trust.salesforce.com Website, warning employees about imminent security threats, which it said were "on the rise."
The letter, which was signed by Salesforce.com VP Parker Harris, stated that an employee had fallen victim to a scam in which a phisher tricked the worker into revealing a password. The password then gave the phisher access to a comprehensive customer contact list that contained first and last names, company names, e-mail addresses and telephone numbers, as well as other administrative data.
The letter went on to state that "a small number of customers began receiving bogus emails that looked like invoices," and were subsequently fooled into revealing passwords. Salesforce.com said that its support and security teams have been working with the affected customers in order to increase their own security. In addition, the company said it is working with "law enforcement authorities and industry experts in an effort to trace what occurred and prevent further attempts."
Salesforce.com also disclosed that it recently experienced a new wave of phishing attempts which included attached malware -- software that secretly installs viruses or key loggers. This new series of attacks seemed to be targeted at a broader group of customers, the letter maintained.
"That's why we warned our system administrators last week of this new, more malicious phish and why we are sending this letter now with the goal of increasing awareness," the letter stated.
Among other security strategies, the letter urged administrators to "modify Salesforce implementation to activate IP range restrictions," tell employees not to open suspect e-mails, use security solutions from leading vendors and designate a security contact to more effectively ensure communication. The company also is offering an educational Webinar in which security personnel discuss recommended changes and best practices.
As a result of the phishing scams, Salesforce.com maintained in its letter that it has been collaborating with security vendors, implementing "take-down" strategies on fraudulent sites, evaluating and developing new technologies, reinforcing security education and tightening company access policies, according to the letter.
While salesforce.com noted that phishing and malware scams were becoming more prevalent, the company asserted that the attacks were not the result of flawed security in its application or databases.