5. When spear phishers strike

Posted on 17 Jun 2008 at 10:38

Gaffe rating: 311

Web 2.0 and Software as a Service (SaaS) have become the biggest buzzwords of the past couple of years, attracting attention from the media and the malicious alike. Indeed, the internet underworld is realising it's just too sweet a honeypot to ignore, as CRM vendor Salesforce.com discovered last year.

The company was snared by a classic spear phishing technique, where a highly targeted social engineering exploit is unleashed upon a single employee to gain further access to more profitable accounts. In the case of Salesforce.com, the profitable account was one that enabled the hacker to access and copy a customer contact database including first and last names, company names, email addresses and telephone numbers of Salesforce.com customers. It was all the ammunition required to launch a further phishing spree on those customers, this time with the added bonus of having all that personal data to add authority to the scam.

Remember that not all phishers are Nigerian princes with an urge to share their bounty with the residents of Croydon. Always question why someone who has your account information should be asking out of the blue for you to repeat, add or update it. Spear phishing exploits make it harder than ever to spot the bad guy, because they will have invested time and money in making you believe. Bottom line: follow company security policy and don't reveal login information to anyone outside of its remit.

Next: 4. Most wanted: FBI distributes worm

The 10 worst security gaffes

Author: Davey Winder