×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Highly Targeted Phishing From Salesforce.com Leak

kdawson posted more than 6 years ago | from the no-more-drift-nets dept.

Security 72

An anonymous reader writes "Salesforce.com has finally acknowledged what security experts have suspected for weeks: that a Salesforce.com employee had his company credentials stolen in a phishing scam, and criminals have been using names and e-mail addresses from Salesforce's customer list to conduct other highly targeted phishing attacks, including the recent round of fake e-mails apparently from the Federal Trade Commission." In such hightly targeted attacks, the AV companies are at a loss — they have little chance of quickly developing signatures for threats that only reach a few thousand victims.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

72 comments

Tuesday Night Fun with CmdrTaco!!! (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21259893)

It's four thirty a.m. and the house is asleep.

I. . . am not asleep.

I am crouched in the bathtub in a frog-like stance, small puddles of urine and liquid shit at my feet. I'm leaning forward, gripping the side of the tub and biting my knee, overwhelmed by a mixture of pain and pleasure as I piston a dildo in and out of my ass.

You see, I really love anal masturbation.

Ever try it? No? You should.

Doesn't matter who you are. God gave all of us, male and female, an abundance of nerve endings in our rectum - and one life to live. So why don't you go ahead and test out the equipment? Have some fun. No point in having a gun sitting on your shelf your entire life and never killing anyone, right?

But I realize there's a fairly persistent misconception among guys that I'm gonna have to dispel before we go any further:

Stimulating your own ass is not "gay."

That notion doesn't make a whole lot of sense. I mean, how could anything you do to your own body be gay? Nobody ever freaks out in the middle of jerking off like "Holy fuck, I've got a fistful of cock! I've gotta cut this gay shit out!" Well, what's the philosophical difference between playing with your dick and playing with your ass?

There is none.

Look fellas, here's the scoop:

If you have a girl wearing a foot long strap-on, smacking your face and screaming "WHO'S MY BITCH?!?" while she pounds your asshole until it bleeds, that would be a *heterosexual* act. Girl on guy. Simple.

Now if it's a guy that's fucking you, that would be homosexual. And if you're doing it to yourself, well, that's plain old masturbation.

But listen - if you're still sitting there being stubborn, all macho and uptight going "My ass. . . is EXIT ONLY!!!" then lemme just ask you a question.

You know that feeling you get when you take a really big shit?

You know what I'm talking about. You're sitting on the couch, eating Cheez-Its and watching Larry King, when all of the sudden you feel that familiar burning. . . so you get up and bound off to the bathroom all bow legged, clenching your sphincter real tight, and then you furiously rip off your boxer briefs and plop down on the seat just in time to let a huuuuuuge thick turd come sliding out of your ass?

Ahhhhhhhhh!!!!

That feeling.

That tingling, chills up your spine, this-is-absolutely-the-pinnacle-of-human-existence feeling.

Well guess what. That's the feeling of a massive rod moving through your rectum, tickling those wonderfully abundant nerve endings. You love it. It's okay. We all do. It doesn't make you a fag. Or at the very least, we're ALL fags. So indulge yourself.

(Yes, I understand that said feeling is partially due to the sensory experience of toxins leaving the body, which is unique to defecation - but the operative word here is "partially." You like the log movement, too. Don't try to argue.)

So anyway, now that you've decided to be bold, and not a homophobic pussy, and poke around the cornhole a little bit - good for you. But there's something you should remember. Anal masturbation is just like playing the accordion, or shooting a jumper, or really anything else that's worth doing. That is, it requires practice.

You see, back when I was a kid I would get curious and stick a finger or a toothbrush up there, but I wasn't fucking around with anywhere near the kind of pleasure I'm achieving now. It was uncomfortable even. So I worked on it.

And conversely, I know I'm still far from expertise in this particular discipline. I don't claim to be an ass master. There's a whole world of lengths, girths, textures, and vibrations that my eager browneye has yet to inhale.

But since I have honed my skills to a pretty decent level, I'll share with you my current technique. Without further ado:

CmdrTaco's Anal Masturbation Technique

What You Need:

1. Lubricant of your choice
2. Fake cock (eight inches, approx.)
3. Ridged anal wand (seven inches, approx.)

Procedure:

1. Apply a generous amount of lube to your index finger, and swirl the lubricated finger lightly around your butthole. Add another drop or two of lube, and then simultaneously push your finger into your butthole while pushing back with your anus muscles.

2. Slide your finger into your ass up to the knuckle and feel around for turds. Unless you're an anorexic, you probably will come across one.

3. Circle your finger around your anal walls pressing outward, as if you were an umpire signaling a home run. You should be near the toilet, because this is intended to stimulate a bowel movement. Once you've shit, and your rectum is empty, then you're ready for some heavy duty fun.

4. Lube up a second finger and slip them both into your poopchute. Let your asshole get comfortable with the new mass, and then begin to pump a little. Repeat with a third finger if you so desire.

5. Slather lube all over the ridged anal wand. Squat over your tool and press the tip to your now greasy anus. Just as you've done with your fingers, ease the dildo into your cornhole as you push back onto it with your ass muscles. Go slowly, stopping at each ridge and letting your ass adjust to the increase in width, until you have it in as far as it will go.

6. Now it's time to start pounding. I'm not gonna get more specific than that. Do it your own way. Experiment with different positions and rhythms until you find what you like.

7. Once your ass has been thoroughly fucked by the anal wand, it's time to move up to the larger dildo. Again, you're going to repeat the process that you've done twice already, with your fingers and the wand. Entering slowly, pushing back on it, letting yourself adjust, and then starting to pump.

8. At this point your asshole is really loose, gaping even, and it's time to move on to my favorite part. Crouch down, or get into whatever position you feel comfortable with, and hold the fake cock in one hand and the wand in the other. Work the fake cock in and out, building the pace until you are doing a high intensity rectal plundering. Slide it in really deep, pause, then pull it out all the way - quickly jamming in the anal wand to fill its place. The rapid transition from smooth to ridged textures will send waves out of pleasure rippling through your entire body. Then give yourself a nice hard fuck with the anal wand, and repeat as many times as you'd like.

*In carrying out these steps - even if you take the dump at the beginning - you still might at some point fuck the shit out of yourself. This is why I recommend doing it in a bathtub, or on some other surface that is easy to clean. Now at first you might be squeamish about the poo, but I think that as you get hardcore into the pleasure of all this, you'll just naturally get desensitized. Kind of like a heroin addict quickly gets over his fear of needles.

In fact, I've found that the right kind of poo can easily be incorporated into the festivities. Sometimes while I'm pounding away I will feel a sudden rush of heat travel through my ass, and I'll know that I'm coating the dildo with a somewhat viscous liquid shit. At this point in the ass ramming, my pain tolerance is rather high, so I'll simply jam the shitty dildo back up my ass, and let the sudden decrease in lubrication create an effect similar to the aforementioned smooth-to-ridged transition. As a matter of fact, this is probably the most intense sensation that I've come across in my entire anal masturbatory experience.*

So that's how it's done. Quite the activity, I must say. Maybe next time you're feeling bored and restless, you can give it a shot. Unless you're a fucking prude, in which case I'd recommend suicide. Or do a goddamn crossword puzzle, I don't really care.

ummm... what? (5, Insightful)

Anonymous Coward | more than 6 years ago | (#21259955)

In such hightly targeted attacks, the AV companies are at a loss -- they have little chance of quickly developing signatures for threats that only reach a few thousand victims.
In other news, the auto-safety companies are at a loss with respect to fire safety violations in people's homes - they have little chance of quickly developing airbags for threats like leaving a cigarette burning and unattended.

Seriously, what do AV companies have to do with phishing scams? The proper counter-attack to phishing is user education, and proper security practices at various sites (e.g. banking sites not using email for official correspondence, not allowing info to leak, etc.). There are some technological tools that can help reduce the impact of phishing (e.g. toolbars that notify the user of suspicious activities) but ultimately this is an issue of user education...

...and I really have trouble understanding why AV companies should be the ones to come up with 'signatures' to detect this stuff...

Re:ummm... what? (1)

Iphtashu Fitz (263795) | more than 6 years ago | (#21260105)

I think the post is implying that the phishing attack is using some sort of malware targeted at the individuals. Imagine you're not a security-conscious person and you get an e-mail with an attachment claiming to be from SalesForce.com. The e-mail looks exactly like the kind of e-mail that you're likely to get from them, and the attachment may actually include a Word document or something else that you're likely to get from them. Your virus scanner doesn't warn you that the attachment is a virus/worm/trojan so you open it up and your machine gets rooted as a result. Your response when your local IT guru shows up? "Well Norton AntiVirus didn't flag it as a virus!"

Phishing has become much more sophisticated. A phisher with access into a company like SalesForce.com may very well send out e-mails that look very realistic to the sites customers but with a payload that only a very savvy internet user might catch on to. What are you supposed to do, give up dealing with ANY company over the internet because you can't be certain if the e-mail you received from them is legitimate or a scam perpetrated by a hacker that got into their systems?

Re:ummm... what? (1)

Suhas (232056) | more than 6 years ago | (#21262121)

malware is malware whether it arrives as an attachment with a Salesforce.com email or from Jody hawking Viagra. A heuristic AV algorithm should find it and flag it as such.

Re:ummm... what? (0)

Anonymous Coward | more than 6 years ago | (#21262303)

The problem is that AV heuristics are largely reactive rather than proactive. AV companies will release updated definitions in response to large outbreaks of the malware. But when the attacks are highly-targeted, everyone who's at risk for getting infected has already been infected (minus the users who are savvy enough to recognize the threat themselves) by the time the AV companies get wind of the new malware. In this situation, it's largely futile to release updated malware definitions.

You can argue that the heuristics should be more proactive, but that's very difficult since malware creators have access to AV software and can just keep tweaking their code until it makes it past the detection mechanisms.

Re:ummm... what? (1)

wud (709053) | more than 6 years ago | (#21260145)

if you rtfa you'll see that the phishing scam was to download malware. so the AV companies would need to fend off the malware.

Re:ummm... what? (1)

wizardforce (1005805) | more than 6 years ago | (#21260375)

Seriously, what do AV companies have to do with phishing scams? The proper counter-attack to phishing is user education, and proper security practices at various sites
If the user population were sufficinetly educated, spyware, viruses, trojans and phishing wouldn't be nearly the problem it is today. Antivirus software is for defending after the fact- by the time it comes into play you've already lost. Notice that there are few if any AV companies that specialize in OSes that are not frequently targets of viruses trojans etc.. no money to be made. That being said, antiphishing software could very well be merged with AV or antispyware software and sold as such. A lot more of a reason for joe average to buy more software.

Re:ummm... what? (4, Funny)

phantomcircuit (938963) | more than 6 years ago | (#21260399)

"User education"

haha .... hahahahahaha.... HAHAHAHAHA

You had me there. No really what is your solution to phishing?

Re:ummm... what? (2)

Not_Wiggins (686627) | more than 6 years ago | (#21260615)

...and I really have trouble understanding why AV companies should be the ones to come up with 'signatures' to detect this stuff...

Because when your only tool is a hammer, EVERYTHING is a nail.

Re:ummm... what? (1)

jt2377 (933506) | more than 6 years ago | (#21263389)

how do you tell your users if SaaS provider like Salesforce operate in blackbox and doesn't told you they have security breach until some bloger expose it. if you run your own CRM/IT then you can reduce the risk. this is simply SaaS provider operate in blackbox and don't give a shit about its users until shit hit the fan for them.

Re:ummm... what? (1)

virtual_mps (62997) | more than 6 years ago | (#21265589)

Seriously, what do AV companies have to do with phishing scams?
[snip] ...and I really have trouble understanding why AV companies should be the ones to come up with 'signatures' to detect this stuff...
Well, AV companies are the ones who sold people snakeoil^H^H^H^H^H^H^H^H security in a bottle. It's the AV companies who have built a business model around the message "give us money every year or you won't be 'secure'"; I think it's perfectly reasonable for people to ask them to deliver the "security" they were promised. I can't count the number of times I've seen a user with a malware infection give me a confused look and say "but I've got antivirus installed". The fact is that the AV companies do a really shitty job at protecting people from current threats. The AV software by design only detects old malware that it has signatures for, and malware authors are now changing the malware on a better than daily basis to evade that detection model. AV vendors know that, and push this idea that they have super secret ninja technology that will detect malware that they don't have signatures for, so people shouldn't let that worry them. In the real world, computer science theory will tell you that it isn't possible to look at a program and tell up front whether it's malware--but that's what the AV people have been selling. So, yeah, I think it's past time for people to ask what value they get from their AV product.

the only option (3, Interesting)

Lord Ender (156273) | more than 6 years ago | (#21259957)

Because it is against human nature to be completely paranoid and skeptical of every email received, the only reliable way to fight this sort of thing is for everyone to digitally sign email messages through a reliable PKI hierarchy. Only when a federal regulatory body works with all the major email client producers (microsoft, google, etc.) would it be possible for such a thing to actually make it. Under "free market" forces, these companies do not have the incentive to cooperate.

Re:the only option (1)

eneville (745111) | more than 6 years ago | (#21260025)

but this is the sort of case that would work well, since it's a small group of people, perhaps the managers of a few companies could sign at a sales meeting? who knows what is convenient for them.

but, once a few of them are acquainted, it becomes a stronger web of trust, so mail could easily be verified.

but if the credentials were phished then i reckon it's not that hard to get the pri key.

Re:the only option (1)

Lord Ender (156273) | more than 6 years ago | (#21260127)

but if the credentials were phished then i reckon it's not that hard to get the pri key.
No. There is a big difference between knowing someone's email address and having system/root-level access on their PC (or better yet: physically stealing their smartcard).

So much money would be saved from fraud by issuing everyone smartcards (say, with their tax returns?) that such a system would pay for itself quickly. It is impossible to steal keys off of a smart card via a remote hack.

Re:the only option (1)

eneville (745111) | more than 6 years ago | (#21260619)

nice idea... i like it, but it's not going to appeal to everyone, as not every one has to fill it in... only certain people who are not on a visa and are over a given age. sufficient enough though to warrant use. what about making a huge key that lasts 10 years at birth? put the owners jpg in it and have the registry office sign it, might as well call it a passport (i don't know if the photo itself is signed in gnupg, should be).

Re:the only option (1)

Lord Ender (156273) | more than 6 years ago | (#21263793)

It could be issued with drivers' licenses. It doesn't have to have an expiration any shorter than a human lifespan, as long as a good revocation system is in place.

Re:the only option (1)

eneville (745111) | more than 6 years ago | (#21279515)

I think it does need a short life span, other wise there will be a ipv4/ipv6 phase to go through later on, give it a short life span so that incredible computers in the future cannot reverse the pri key.

Re:the only option (1)

metachimp (456723) | more than 6 years ago | (#21289869)

So, how does this protect joe dumbass from giving up his information voluntarily? If I need a smartcard to verify that it's me who is using the machine, then how does this prevent me from clicking through a phishing attempt and giving over my authority which has already been granted?. Am i to understand that none of us have root-level access to our own machines? Forget that. If anything, centrally issued smartcards would simply allow companies who might otherwise be on the hook for bad behavior to simply push it off on users.

And sure, like I really want a Federally issued smartcard. Do I have any reason to suspect that it won't be used by the feds for all the wrong reasons?

That is just the worst idea I have heard as a solution to this problem I have *ever* heard.

Re:the only option (1)

cheater512 (783349) | more than 6 years ago | (#21260203)

Private keys are protected with far more secure methods than most other things.
Thats including credit cards and similar sensitive stuff like that.

Cacert.org keeps theirs on a secure box who's only connection to the net is a slow serial link.

Re:the only option (2, Informative)

eneville (745111) | more than 6 years ago | (#21260591)

the .pri is usually in the user's home directory... so a browser exploit could read that ... for that matter, any exploit in any software that the user can run, would normally run with the user's credentials, and thus be able to read it. it shouldn't have read access to anyone else in the department though... but it's still a possibility. so, use your pass phrases!

Re:the only option (1)

Lord Ender (156273) | more than 6 years ago | (#21266755)

Well, if I were given a $500M budget and were asked to implement it nationally, I would issue smart cards and legislate smart card readers come standard on typical desktop PCs (adding $3 per machine, I suppose).

And your wrong on another count. On windows, private keys can only be accessed directly by a user with System level access.

Re:the only option (1)

eneville (745111) | more than 6 years ago | (#21279521)

And your wrong on another count. On windows, private keys can only be accessed directly by a user with System level access. No that's a different key, what planet are you on? I'm talking about the gnupg system of pub/pri keys. If that you're saying is true, then my mail reader (when I have accessed mail from a windows box) would have to escalate to a system user, which it never did.

Re:the only option (1)

Lord Ender (156273) | more than 6 years ago | (#21283433)

GNUPG would not be a major concern on such a project, because the target audience would be primarily windows. Hardware-based smart cards would be the way to go.

Re:the only option (1)

phantomcircuit (938963) | more than 6 years ago | (#21356797)

Are you seriously saying that there should be an email system that can only verify the identity of windows users?

Re:the only option (1, Funny)

Anonymous Coward | more than 6 years ago | (#21260275)

Because it is against human nature to be completely paranoid and skeptical of every email received

Speak for yourself. I completely distrust every e-mail, and have never, ever clicked on an attachment to an e-mail. I've gotten hundreds of phishing scam e-mails... never fell for one.

When I was sysadmin at a large Fortune 500 company (back in the days of floppies), my policy was that if you got a virus, I had a box of floppy-locks and you got one for a week.... and had to get someone else to read your floppies and save work for you to take home or copy work from the floppy back to the network. Worked great -- sort of a scarlet letter. One person re-offended, and he lost all computer privileges for a week. We should figure out some way to brand a scarlet letter "D" for dumbass onto the foreheads of people that fall for phishing scams.

Re:the only option (0)

Anonymous Coward | more than 6 years ago | (#21260529)

No wonder everyone hates sysadmins. Christ.

Re:the only option (1)

hostyle (773991) | more than 6 years ago | (#21260771)

Yeah. Of course, on the other hand, everyone loves cleaning up the messes created by morons.

Re:the only option (1)

Cheesey (70139) | more than 6 years ago | (#21261017)

Could be worse... [iinet.net.au]

But I don't know if anyone, even the BOFH, would be immune to a sufficiently targeted attack. (Although naturally a targeted attack against the BOFH would be a fatal mistake...)

Re:the only option (1)

crabpeople (720852) | more than 6 years ago | (#21260737)

"[sic]Because it is against human nature to be completely paranoid and skeptical of every email received"

I guess im not human then. Homo sapiens sapiens paranoius?

AV companies appropriate? (5, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#21259991)

Are AV companies even the appropriate resource for dealing with phishing scams? Why don't we just teach people some common sense or something? Phishing is a user education problem, not a problem to be attacked by antivirus tools.

Re:AV companies appropriate? (1)

sjwest (948274) | more than 6 years ago | (#21260063)

I think the article poster is saying that perhaps salesforce.com should pony up and pay the a/v firms to fix the problem being that it affects very few people.

Re:AV companies appropriate? (3, Insightful)

bhima (46039) | more than 6 years ago | (#21260065)

'cause if we actually could just "teach people some common sense or something" we would have long ago done so.

People are the way they are and no amount of you (or me) being smarter than the herd is going to change it.

Here's a suggestion (1)

Colin Smith (2679) | more than 6 years ago | (#21260543)

Fire the people who are infected.
 

Re:Here's a suggestion (0)

Anonymous Coward | more than 6 years ago | (#21274603)

Riiiiiiiiigggggght. So who's going to be the one to walk in and fire the CEO?

Re:AV companies appropriate? (1)

Bill, Shooter of Bul (629286) | more than 6 years ago | (#21260341)

It depends upon the type of phishing. The more traditional fraudulant email can't really be prevented, but there are several related attacks that are the domain of AV. They range from the more typical virus changing your HOSTS file, to more sophisticated attacks against your home router (changing your dns servers to a malicious one). With these you don't need an email. You can even type the name of the website int he address bar, but you'll go to the evil site anyways.

Its like I sometimes say when I feel like it: build a better mouse trap and God will build a better mouse.

only this is sort of the reverse where you are the mouse and phishers are the mouse trap builders. So that should be something more like: genetically engineer a better mouse, and the Devil will build a better mouse trap.

It's not just targeted phishing... (4, Funny)

argent (18001) | more than 6 years ago | (#21260085)

If you know about a security hole in a product, and you write a program to attack it, and fire it off at a specific target, odds are poor that any antivirus software will catch it. And if it's a remote execute vulnerability, the target won't have a chance to avoid being phished, because it'll all happen automatically.

Also, there's software (like Internet Explorer) that pretty much trains people to fall victim to "thin" social engineering attacks (by, for example, crying wolf hundreds of times a day). This means that these attacks work often enough that if you can target a few hundred people at a specific location you'll get one, and they happen often enough that it's not even suspicious for a few hundred people at a location to get a dialog box asking if they want to infect their computer now.

Antivirus software can't help.

Security is like sex.

Once you're penetrated you're fucked.

Re:It's not just targeted phishing... (1)

Sigma 7 (266129) | more than 6 years ago | (#21260437)

Also, there's software (like Internet Explorer) that pretty much trains people to fall victim to "thin" social engineering attacks (by, for example, crying wolf hundreds of times a day).
Crying wolf isn't the problem. Instead, the problem is crying wolf when you can properly handle the wolf without collateral damage.

For example, some Firefox configurations can be set to block popups from web plugins. However, the common method of setting privacy.popups.disable_from_plugins to 2 prevents you from opening any popup from a plugin even if you wanted to. The correct procedure is to record the URL that needs to be opened (as it does if Javascript tries a popup.) Because of this, Adblock is more effective than the stock implementation.

The other example is IE6, before SP2 was released. While it correctly cried wolf when it showed something coming from Gator, you couldn't add that publisher to the list of untrusted sources from that alert window.

Re:It's not just targeted phishing... (2, Insightful)

argent (18001) | more than 6 years ago | (#21260821)

Crying wolf isn't the problem.

It sure is.

This isn't just phishing I'm talking about, this is a remote execution attack that works because the user is trained to answer "yes" when they see a security dialog.

If your software is asking the user "Do you want me to do (dangerous thing)?" often enough that the user is conditioned to respond in the affirmative, that's a problem. Internet Explorer should have had every single capability related to the one that Gator used removed from the browser in 1997. In fact, I honestly expected Microsoft to do to logical thing and back out most of the browser/desktop integration and reimplement it with a "default closed" model that required explicit installation of plugins by the end of that year. Boy was I naive.

Re:It's not just targeted phishing... (1, Funny)

Svartalf (2997) | more than 6 years ago | (#21261013)

Boy was I naive.


Your mistake was in thinking that Microsoft was a Software Company.

They're nothing of the sort.

They are an Abuse Company that uses Software as the vehicle to deliver this abuse, as opposed to words, whips, and/or chains. >:-)

Screw antivirus, call law enforcement! (1)

necro2607 (771790) | more than 6 years ago | (#21260097)

Like the title of this post says - screw antivirus software, call appropriate law enforcement agencies when you get these phishing attempts!

Re:Screw antivirus, call law enforcement! (0)

Anonymous Coward | more than 6 years ago | (#21260251)

And they'll do what other than laugh at you?

Re: law enforcement! (3, Funny)

Anonymous Coward | more than 6 years ago | (#21260775)

I did this once. I reported the phising scam e-mails, provided them with the
e-mail address, details of the scam and gve them a link to a security website
that reported the scam.

The response I got was basically, "They're not doing anything illegal. If you send them money/info about you, that's your business."

In short, as far as law enforcement in Canada is concerned, if you're dumb enough to fall
for phising, tough luck. And I kind of agree with them. It doesn't lave me with a warm,
fuzzy feeling, but I agree. Phising scams are a sort of virtual survival of the fitest.

Re: law enforcement! (0)

Anonymous Coward | more than 6 years ago | (#21262187)

I ever go into phishing, I know who my first target will be: Canadian law enforcement.

Re: law enforcement! (1)

necro2607 (771790) | more than 6 years ago | (#21262607)

While I haven't reported phishing specifically, I've reported spam (both of which are unsolicited emails, by the way, with phishing actually being notably more harmful), and gotten a response nearly every time that the issue will be pursued (although in these cases I contacted the ISPs that owned the IPs that were sending out emails, and this was in the late 90s where the net wasn't full of millions of zombified PCs so it was easier for ISPs to pursue).

Either way, sure, I imagine a lot of the time you'll get lame "too bad" responses, but phishing is still considered illegal all over North America and Europe. Please see here [wikipedia.org] for a bit of text about the legal response to phishing attacks. Note the guy mentioned at the end facing a potential maximum of 101 years in jail for phishing thousands of AOL users.

Re:Screw antivirus, call law enforcement! (1)

Blackknight (25168) | more than 6 years ago | (#21261691)

As if they care.

Re:Screw antivirus, call law enforcement! (4, Interesting)

gujo-odori (473191) | more than 6 years ago | (#21262039)

They do. Federal law-enforcement is always present at, and typically presents at, APWG meetings (I work for an APWG member), and they do track this stuff, and when possible, make arrests. Among the problems they face are volume (there's so much of this stuff, and LE does not have unlimited resources), time (doing the investigation and compiling evidence is by its nature very painstaking work), and the fact that the perps are most commonly in Russia and other eastern European countries, making apprehension and prosecution far more difficult.

They can't solve all the problems, or maybe even most of them, but they're doing what they can, and it's more than you'll read about on Slashdot. No matter how much resources the FBI and others throw at this problem, however, it will always remain mostly a problem of technology combined with user education.

At the last APWG meet, in Pittsburgh, some researchers fron Carnegie-Mellon presented there findings of an anti-phishing game they wrote, the idea being that you can more effectively train users to not be phished by having them play a video game, rather than read some boring instructions from the IT department or watch a similarly boring video. Their test subjects showed real improvement Vs. a control group, and there has been considerable interest in the game.

A preview version is here, for anyone interested:

http://cups.cs.cmu.edu/antiphishing_phil/ [cmu.edu]

License is CC-attribution-non-commercial.

(I am not affiliated with CMU)

Re:Screw antivirus, call law enforcement! (1)

necro2607 (771790) | more than 6 years ago | (#21262571)

Thanks for posting something informative & interesting as opposed to the rhetorical "who cares" bullshit other people were posting in response. :)

Re:Screw antivirus, call law enforcement! (1)

glitch23 (557124) | more than 6 years ago | (#21263715)

Like the title of this post says - screw antivirus software, call appropriate law enforcement agencies when you get these phishing attempts!

You actually think they will care or even have the knowledge and know-how to do anything about it? There is, however, the Internet Crime Complaint Center [ic3.gov] and here [fbi.gov] just down the street from me (10 min).

When technology is not the answer (4, Insightful)

DFDumont (19326) | more than 6 years ago | (#21260103)

Not everything can be addressed through technology. This is such a case. Note that the original error was with a human being that chose to be duped by a phishing expedition. In most of the cases the fatal flaw in any data security design is the people who run it.
My point is simply this. Training hours spent with each employee about how to recognize and respond correctly to online threats would have been a more effective and likely cheaper alternative to whatever their last security initiative was. Conversely testing or "job skill validation" that prevents people likely to do stupid things from getting enough clearance to have an email address on the corporate server - would also be effective.
The problem with modern operating systems is that they allow people to think they know how to run a computer. Vista says, "Shall I allow trojan.exe to run?" User says to self, "Self, I have no clue what that is, so I better let it run."
Anyone else see a problem with leaving immediate security questions to be answered by the person who happens to be at the keyboard?
IMHO Technology is not and should not be thought of as, the solution to all problems.
Dennis Dumont

Re:When technology is not the answer (2, Informative)

value_added (719364) | more than 6 years ago | (#21260425)

The problem with modern operating systems is that they allow people to think they know how to run a computer. Vista says, "Shall I allow trojan.exe to run?" User says to self, "Self, I have no clue what that is, so I better let it run."

I think that's a fair representation of the current state of affairs. Moreover, it pretty much sums up the beginning, middle and end of most malware issues. From the article:

Recipients running Microsoft Windows who clicked on the attachment in the bogus FTC e-mail were warned by Windows that an executable file (a program installer) was about to run, and given the chance to decline the execution. Anyone who ignored that warning witnessed yet another social engineering feat. The invading program then produced a pop-up alert complaining that Microsoft Word had crashed, and that the user could double-click on a provided icon to restart Word. It was in double-clicking on that "OK" tab that victims were setting the final stages for allowing a Trojan horse program to invade their machines and record every single keystroke that they typed from there on out.


Seems to be that user training and education demands too much of everyone, and is too hard and too expensive. Instead, the "Let's continue the search for outside solutions to protect us from ourselves." approach, instead of being regarded as something that resembles the Lord's Prayer, thus becomes a rational business decision.

Re:When technology is not the answer (0)

Anonymous Coward | more than 6 years ago | (#21260427)

"Shall I allow trojan.exe to run?" User says to self, "Self, I have no clue what that is, so I better let it run."

You can tell by looking at executable's name if program is malicious or not? You're good.

Were web-based services ever the answer? (3, Insightful)

Anonymous Brave Guy (457657) | more than 6 years ago | (#21260459)

Not everything can be addressed through technology. This is such a case. Note that the original error was with a human being that chose to be duped by a phishing expedition.

True, but this story appears to have started with an employee of an outside service, salesforce.com, succumbing to phishing.

While you can't entirely beat sociological threats through technological defences, this case doesn't exactly support the standard software-as-a-service provider's argument that by outsourcing your data handling to them, you are avoiding the complexity and problems of doing it yourself. What next, confidential planning documents from a company using one of the web-based office suites get leaked after the office suite business gets tricked? There is a lesson to be learned here.

Technological solutions and behavioral problems (1)

DragonHawk (21256) | more than 6 years ago | (#21263009)

Not everything can be addressed through technology. This is such a case.

Indeed. This was a people problem, through and through.

I note that, in their list of things SalesForce.com says they are doing to make sure it doesn't happen again, conspicuously absent is anything to do with people.

"There are seldom good technological solutions to behavioral problems." -- Ed Crowley

Re:When technology is not the answer (1)

Tim C (15259) | more than 6 years ago | (#21265267)

Anyone else see a problem with leaving immediate security questions to be answered by the person who happens to be at the keyboard?

Yes I do, but the alternative is to whitelist the applications that are allowed to run and disallow everything else. That may work fine in the corporate environment, but it would fail utterly in the home environment where the user is the admin.

BONGS (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21260225)

BONGS BONGS BONGS I LUV BONGS

I've been meaning to ask (-1, Offtopic)

THernandez (1181457) | more than 6 years ago | (#21261619)

I've submitted a few questions to Ask Slashdot to see what other /.ers use for CRM and helpdesk management, but my submissions have been rejected.

I work for a growing IT company (just passed 30 employees) and we're looking for a web-based system to handle not only our sales but also our helpdesk and order processing systems if possible. So far we've been looking at OneOrZero [oneorzero.com] (open source) and the Allbase Suite [allbase.com] (commercial).

Does anybody have any recommendations?

GoldMine (-1, Offtopic)

Chas (5144) | more than 6 years ago | (#21262853)

I'm biased though. I'm a lead tech at a GoldMine VAR. So don't just take my word for it. Please do your own research

For simple rolodex, it's mass overkill. But if you're looking to REALLY automate your sales force, it's the shit.

There's the main Goldmine [goldmine.com] (Corporate Edition [goldmine.com] or Premium Edition [goldmine.com] ) app for people in the office or for remote guys syncing through low-speed connections.

You have:

  • e-mail functionality
  • SMS integration
  • calendaring
  • fairly sophisticated report generation (plus you have the options of Crystal Reports (which comes free with CE and PE) and SQL Server Reporting)
  • Human-readable filtering, grouping, SQL queries, DBase-style queries
  • fairly elaborate import and export functionality
  • leads management, document management, knowledge management, project management
  • automated processes
  • Call scripting


And more. There's tons of functionality, of which I've only scratched the surface. And NOBODY uses it all.

Moreover, it's designed to be a networked/shared environment BY DESIGN. Not hacked in like so many other options out there.

For people with higher speed connections, there's virtual desktop/web-client functionality through the iGoldMine [frontrange.com] product (based on GraphOn [graphon.com] ). So you can publish not only GoldMine, but other apps (Office, etc).

For mobile users (handheld/phones/etc), there's things like W-Systems' MA HREF="http://www.w-systems.com/www/web/products_wMobile.asp">W-Mobile offering. Presents a nice clean interface for the data, and the upcoming version will actually allow full e-mail functionality.

For just being able to dump a list of appointments to a mobile device, there's options for syncing with Palm devices, Windows mobile devices. And for more elaborate integration of data, there's a product called CompanionLink [companionlink.com] that'll add options like Crackberry, etc.

With Premium Edition, there's even full-blown SIP/TAPI integration (CE has rudimentary SIP functionality, thought the TAPI link is the same).

And until you start getting into the hundreds of employees, even a modestly powerful server (think low-end desktop but packed with 2-3GB of RAM) is overkill.

If you're looking for real, full-blown helpdesk, you're probably looking at another FrontRange (the guys who make GoldMine) product. HEAT [heatitsm.com] .

We don't deal a whole lot with HEAT. The sales cycles on it are really long, and while we DO know how to install it, some of the other FRS VARs are much better with it than we are. Basically HEAT is THE solution if you're looking for the real-deal solution though. And yes, there's intergration between the HEAT and GoldMine products.

There's actually a third GoldMine product. GoldMine Enterprise Edition. [goldmine.com] It is, however, a VERY highly specialized product. Essentially it's setup is something similar to PeopleSoft, etc. Out of the box, it doesn't really do anything, and it takes time (and some expensive labor) to build the interface specifically to meet a given company's needs. Unless you have tons of money to burn and highly specialized needs, this solution is HUGE overkill and even FrontRange themselves will warn you that your needs could be met more economically with other products.

We actually use GoldMine itself as a poor-man's helpdesk. Our phone system logs the calls. We just fill out billable history items once we're done. When we get ready to do billing, we just run a filter for new, unbilled work, and build the invoices.

Oh, and licensing for GoldMine and iGoldMine are concurrent licensing schemes. You buy a "pool" of seats. As they're used, they get taken up. Once the user logs off, the seat is thrown back into the available pool.

W-Mobile is actually closer to named-seat-style. You have a pool of licenses, but you have to actually assign those licenses to given users. Now, you CAN reassign those licenses, but it's entirely on a manual basis.

Note: Hosting these apps yourself, instead of trusting it to Salesforce.com will NOT mean you're protected against phishing attacks. It just cuts out a possible point of failure.

Also, have you actually READ Salesforce.com's Master Subscription Agreement [salesforce.com] ? You essentially turn over control and ownership of your data to them. And they assume no liability for losing your data, getting hacked, stealing your data themselves and selling it off, etc.

Oh, and if you have a gangbuster month and even slightly exceed an account quota (by so much as a single e-mail), you get bumped to their next most expensive service tier. With no way to downgrade. But who needs to control costs!

If you leave them, and move to something else, they're under no obligation to give you back your data in a usable or easily convertible format. Hope you enjoy that set of Excel tables in No Particular Order!

Also, there's the main problem of ANY hosted service. If the service goes down, what do your sales guys do? At least with a localized app on the internal network, your salesforce can continue to work, even through an "idiot with a backhoe" incident taking out the office net connection. And remote users with syncing laptops can continue working, even if they can't immediately get timely updates from the office. Salesforce.com has exactly one-step degradation of service in a similar situation: Operational -> Nonoperational.

Again, I'm biased. I work with this stuff every day. So do your own research and don't trust a damn thing I said until you've verified it for yourself.

Re:GoldMine (0)

Anonymous Coward | more than 6 years ago | (#21263907)

Out of the box, it doesn't really do anything, and it takes time (and some expensive labor) to build the interface specifically to meet a given company's needs. Unless you have tons of money to burn and highly specialized needs, this solution is HUGE overkill

Interesting insight. Have you taken a look at nexj [nexjsystems.com] ? I'd be interested to hear what others have found out...don't see any reviews out there yet.

Re:GoldMine (2)

IHC Navistar (967161) | more than 6 years ago | (#21264477)

Take your crappy sales pitch somewhere else. It's not wanted here.

Re:GoldMine (1)

Chas (5144) | more than 6 years ago | (#21266913)

"It's not wanted here."

Since the person was asking about CRM solutions (even if the original question was off-topic), evidently it was.

And if that qualifies as a sales pitch, something is wrong.

I'm a technician, not a sales guy. I, personally, don't give a shit WHAT he winds up with.

So take your crappy attitude somewhere else. It's not wanted here.

Re:GoldMine (0)

Anonymous Coward | more than 6 years ago | (#21266051)

Goldmine is a relic from the past. Not even their latest version saves it from looking like a modern application with last decades technology under the hood. My company forces its upon everyone here and they hate it with a passion. Its unreliable, unintuitive, has tons of quirks (doesn't operate across multiple timezones? our scandinavian sister company has to arrange appointments 1 hour behind their actual time as the main server is in the uk) and worst of all is the cost. Last time i looked we are shelling out over £400 a license for this floating turd of a package. It needs to die, it needs to die now and nobody ever speak its name again.

Re:GoldMine (1)

Chas (5144) | more than 6 years ago | (#21267307)

"Goldmine is a relic from the past."

Ah. Starting with an attach, instead of delineating real problems. Good form!

"Not even their latest version saves it from looking like a modern application with last decades technology under the hood."

What is the "latest version" you're on?

"My company forces its upon everyone here and they hate it with a passion."

Great. Bandwagoning.

If you're an Outlook-head, I can see why you might not like it. The fact is, it's much easier to network and maintain than Outlook is. It's also more flexible.

"Its unreliable"

Really? Sounds like you're on an old DBase version on a shaky network. GoldMine malfunctioning tends to be an indicator that there are other, underlying problems on the network. If you're getting GoldMine specific errors, likely you have configuration issues.

A stupid VAR is not GoldMine's fault.

"unintuitive"

Which means you're so caught up in "OMGWTFBBQ it's not Outlook!" that you won't bother to actually learn the interface, like you would with any other application out there.

"has tons of quirks (doesn't operate across multiple timezones? our scandinavian sister company has to arrange appointments 1 hour behind their actual time as the main server is in the uk)"

This definitely points to configuration issues.

And one problem hardly qualifies as "tons".

"Last time I looked we are shelling out over £400 a license for this floating turd of a package."

That's about right. About £88 is the software maintenance. This provides essentially unlimited free support from FrontRange, as well as access to ALL updates of the product for a year.

"It needs to die, it needs to die now and nobody ever speak its name again."

Question, oh brave one posting as AC. Are you a sales guy? Or a tech?

SugarCRM (0, Offtopic)

MrKaos (858439) | more than 6 years ago | (#21263479)

I recently did an comparison between Salseforce and SugarCRM [sugarcrm.com] and found Sugar was surprising good in comparison to SF. Plus you have the option of hosting the application in house thus avoiding a 3rd party handling your company data, or being on list of third parties that could be subject to these sorts of scams.

Re:SugarCRM (1)

MrKaos (858439) | more than 6 years ago | (#21319317)

How is this OT if I am pointing out an open source alternative to SF (i.e this is not an advertisment) that by-passes the possibility of phishing for data?

Moderation without investigation is frustration - maybe some safes force people are scared that people will spread the word that there is a free alternative to their product that doesn't own your business data or charge you for the priveledge of accessing it.

Did I say suprisingly good in comparison, let me rephrase that...

SugarCRM KICKS SALESFORCE ASS

Maybe that will show up on googles next robot of slashdot. Of course I may just think that paying for someone else to own your data and allow it to be accessed by fraudsters, lose it in database backup failures, charge you an unexpected extra fee for exceeding your storage capacity or charge you extra for do additional marketing on your client base is dumb, but that's just me.

It's just I think that Open Source makes Software As A Service (or SAAS if you like trendy little acronyms that mean nothing) is redundant or Owned with a capital P, especially when SugarCRM does 80% or more of what SF does for no charge. So let me re-iterate, if you are considering a SF purchase...

SugarCRM KICKS SALESFORCE ASS

Disclaimer: I am in no way associated with SugarCRM in any way!

Re:SugarCRM (1)

MrKaos (858439) | more than 6 years ago | (#21319369)

And just to prove that freedom of speech is more important than Salesforce shills let me just say again ....

SugarCRM KICKS SALESFORCE ASS

because it will be interesting if I get modded down again, just for saying...

SugarCRM KICKS SALESFORCE ASS

But I can always just continue to re-post the same comment.

Disclaimer: I am in no way associated with SugarCRM in any way!

This is incredible (3, Informative)

MagicBox (576175) | more than 6 years ago | (#21268287)

Yes, we were a victim. SalesForce has been extremely, I mean extremely unprofessional and tight lipped about this incident. In an emergency meeting we had with them, they did claim that the data breach had originally happened in March of this year, yet we were never notified about it so we can put procedures in place and educate our users. We only knew when one of our users "logged in" to the phishing site. Unfortunately the crooks got to the data before we could change the password (within 5 minutes), but we were lucky that nothing "confidential" was downloaded. Regardless, when we called Salesforce, initially they told us that they cannot even share more info other than telling us to change our passwords. Then more emails started coming posing at Bank sites etc. We had to go to some incredible lengths to engage the SalesForce people to admit fault and advise on how to proceed in protecting the people. Still, they were less than helpful or they seemed incompetent to do so.

Bottom line is, how can you keep such breach a secret for 7 months without telling your clients at the very least? I have yet to receive an email from them about this. No correspondence has happened between them and us.

Oh, and the SalesForce "security" person was saying that the law enforcement has found where the phisher is located and that "if they have not aprehended him already, they will soon do so".... Whatever. BS.

Salesfarce (0)

Anonymous Coward | more than 6 years ago | (#21268821)

Salesforce.com has always been extremely good at keeping their customers out of the loop on internal problems. They scraped through a major datacenter and database meltdown a few years ago, denying any major problems while bleeding customers through the event. They tout the security of customers' customer data, stating that it cannot be accessed by the masses - another claim now brought into question by this event. Aggressive account manager shuffling keeps customers from finding anyone accountable for more than a few weeks while product features and releases continue to slip.

This seems to have turned into an anti-Salesforce rant. Not the intent, but easy to do with these jokers.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...