In my work, I have the opportunity to speak with a good number of Salesforce.com Administrators. I’m often surprised at how many of these folks don’t come from IT or computer-related backgrounds. They displayed an aptitude and willingness to embrace the new technology, and so their senior managers put them in charge of system administration. Many Salesforce.com Users (and quite a fair number of administrators) don’t understand the malicious phishing methods that are out there today. So that’s the topic of this article, phishing: what it is and how it works. Tomorrow, we’ll talk about ways you can protect your users (and your sensitive company data) from phishing attempts.
What is Phishing? Phishing is the process by which scam artists try to acquire user names, passwords, and other sensitive data, by masquerading as a trustworthy source in an electronic communication. Phishing attempts generally start as an eMail or Instant Message, and ask the user to download an attachment. The attachment is malware, very often a key logger, which captures all username / password information that a user types into their computer. The malware packages all these user name / password entries, and sends them back to the scammer, without the victim being aware anything has happened.
Another popular method creates an email that looks authentic, but contains links which send the reader to a fake website (for example, a website that looks like a Salesforce.com login screen). The unsuspecting user logs in, gets an error message that their password was incorrect, and is asked to try their password again. Meanwhile, under the web page, their username / password entries have been recorded, and the application has redirected their browser to the real Salesforce.com page. The subsequent login attempt works, and the user isn’t aware that they’ve just given their login information to phishing scam.
It’s Easy. It sounds complex, but it is incredibly easy to start a malicious phishing campaign, particularly the latter method which sends an unsuspecting user to a fake website. It takes a minimal amount of HTML experience to mirror the look and feel of a website login page. Want to see how easy? Navigate to the standard Salesforce.com login screen: https://login.salesforce.com. Right click your mouse, and then click “View Source” or “View Page Source” (depending on your browser's menu options). You’re now looking at the source code for the page loaded in your browser. Copy and save that HTML to a local directory on your harddrive, and give the file a ".html” extension. Now run that HTML page, by double clicking on it.
It’s not pretty, but finishing it off is very simple – just download a few images from the login page, do a little TABLE and FONT formatting in the HTML page, and find a website to host it on. Poof! You’ve got your own Salesforce.com login screen. It took me 15 minutes to make this identical mock-up of a Salesforce.com login screen ... would your users know the difference between this fake version and the real thing?The only visible difference between the fake website and the real website is the URL, but how many of your users pay attention to that?
Next, the scammer needs to modify the HTML code so that any entries in the username / password fields are saved to a local database, and then redirect the user to the real SFDC login screen, and your almost ready for business. Write an email that prompts users to login to Salesforce.com and look at something (a custom report, a dashboard, or anything else) by including a link to that object – only the link provided will take the viewer to your fake website.
Known Phishing Attacks on SFDC Users. Think this type of stuff only happens in the movies? Think again. Salesforce.com publishes a list of known phishing attacks that have been targeted toward their customers here: http://trust.salesforce.com/trust/security/.
Phishing scams are on the rise. I’ve intercepted an average of 3 phishing scams per employee this year. Many employees caught on to the fact that these were scam emails (when will the phishers learn to use proper English?), but some employees went ahead and downloaded and/or installed the attached malware, or clicked through to fake websites that asked for their private information.
As administrators, we need to be vigilent about the security of our company data. Tomorrow, we'll look at methods you can use to safeguard your data and your users.
No comments:
Post a Comment