Salesforce.com is warning customers to beware of a phishing scam targeting its customers with bogus invoices and attached malware.
In an email sent Monday, the San Francisco-based on-demand CRM provider said a Salesforce.com employee had been tricked into disclosing a password and allowed a customer contact list to be copied.
"To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database," Salesforce.com said in the email and in a statement posted on its trust.com website. "Information in the contact list included first and last names, company names, email addresses, telephone numbers of Salesforce.com customers, and related administrative data belonging to Salesforce.com."
Salesforce.com declined further comment.
According to the statement, a small number of Salesforce.com customers' end users also revealed their passwords as a result of the attack, and Salesforce.com is working with them and law enforcement to trace what occurred and prevent further attacks.
Salesforce.com was prompted to warn customers after another attack.
"However, a few days ago a new wave of phishing attempts that included attached malware -- software that secretly installs viruses or key loggers -- appeared and seemed to be targeted at a broader group of customers," the statement read. "That's why we warned our system administrators last week of this new, more malicious phish and why we are sending this letter now with the goal of increasing awareness."
On-demand software has largely "series of highly targeted phishing scams," according to The Washington Post's Security Fix blog. A SunTrust executive alleged that scammers got their Suntrust customer list from Salesforce.com.
"This is something that was going to happen to a Software as a Service provider at some point," said Rob Bois, analyst with Boston-based AMR Research. "This isn't unique to one company, or Software as a Service for that matter."
The problem wasn't a software or firewall-related issue, but a process problem, said Sheryl Kingstone, program manager for customer-centric strategies at the Boston-based Yankee Group.
"Sometimes, when you're a large, public company, you're going to be the target of these," Kingstone said. "The sad news is a lot of companies aren't prepared for it."
The more successful Salesforce.com became, the more likely it was to become a target of phishers, Bois said.
"This is something that Microsoft has had to deal with all along, being the big dog out there," he said. "They're going to go after whoever the big, prominent vendor in the market is. Salesforce.com has become the Microsoft of Software as a Service."
Salesforce.com phishing tips
In its statement, Salesforce.com said it is actively analyzing and monitoring its logs to alert customers who have been affected, executing "takedown" strategies on fraudulent sites, reinforcing its security education and tightening access policies at the company.
It recommends that customers modify their active IP range restrictions, which will allow users to access Salesforce only from the corporate network or VPN; educate employees not to open suspect emails; and be vigilant against phishing attempts. The company says it's important to deploy spam filtering and malware protection, designate a security contact within the organization for Salesforce.com to communicate with, and consider using two-factor authentication techniques.
Salesforce.com will also be hosting an educational Webinar on Thursday.