|
SalesCheck.co.za Website - Mon, 2008/01/07
|
|
Watch this space
|
Top
|
|
Phishing and Salesforce.com - Mon, 2007/11/05
|
Dear Salesforce.com Customer,
It's time to take more action to prevent phishing. For salesforce.com, that means alerting our customers to specific new threats, raising awareness around the issue, educating administrators about key steps they can take today, and continuing to define, develop, and deploy the technologies that deliver customer security and success. In this note, we'll clarify recent issues and outline what our customers can do to increase security.
Phishing and Salesforce.com
Phishing and malware are Internet scams on the rise. As salesforce.com's community approaches one million subscribers, it has become an increasingly appealing target for phishers. In fact, we have seen a rise in phishing attempts directed at salesforce.com customers over the past few months.
When we first saw signs of this sudden rise, we conducted a thorough analysis. We learned that a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied. To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database. Information in the contact list included first and last names, company names, email addresses, telephone numbers of salesforce.com customers, and related administrative data belonging to salesforce.com. As a result of this, a small number of our customers began receiving bogus emails that looked like salesforce.com invoices, but were not—they were also phishes. Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher. Our support and security teams have been working with the small group of affected customers to enhance their security and with law enforcement authorities and industry experts in an effort to trace what occurred and prevent further attempts.
However, a few days ago a new wave of phishing attempts that included attached malware—software that secretly installs viruses or key loggers—appeared and seemed to be targeted at a broader group of customers. That's why we warned our system administrators last week of this new, more malicious phish and why we are sending this letter now with the goal of increasing awareness.
What We Are Doing
Customer security is the foundation of customer success, so we have been implementing and will continue to implement the best possible practices and technologies in this area. Our recent and ongoing actions include:
Actively monitoring and analyzing logs to enable proactive alerts to customers who have been affected
Collaborating with leading security vendors and experts on specific threats
Executing swift "takedown" strategies on fraudulent sites (often within an hour of detection)
Reinforcing security education and tightening access policies within salesforce.com
Evaluating and developing new technologies both for our customers and for deployment within our infrastructure. We will regularly update you on these security innovations.
What We Recommend You Do
Salesforce.com is committed to setting the standards in software as a service for being an effective partner in customer security. So, in addition to our efforts, we strongly recommend that our customers implement the following changes to enhance security:
Modify your Salesforce implementation to activate IP range restrictions. This will allow users to access Salesforce only from your corporate network or VPN, thus providing a second factor of authentication.
Educate your employees not to open suspect emails and to be vigilant in guarding against phishing attempts
Use security solutions from leading vendors such as Symantec to deploy spam filtering and malware protection
Designate a security contact within your organization so that salesforce.com can more effectively communicate with you. Contact your salesforce.com representative with this information.
Consider using other two-factor authentication techniques including RSA tokens and others.
Attend an educational Webinar on Thursday, November 8 in which our experts will walk you through these recommended changes and best practices. Visit www.salesforce.com/security for details.
Unfortunately, phishing is a reality on the Internet these days. But with the right mix of awareness, education, and preventive technology, the consequences of phishing don't have to be part of that reality.
There is no finish line on security, so we hope that this information will foster more communication between salesforce.com and its customers on this very important matter.
We realize that you may have more questions, and our security and support teams are ready to help at any time.
Sincerely,
Parker Harris
EVP Technology
Salesforce.com
|
Top
|