Security Alerts

As a valued salesforce.com customer, the security of your Salesforce data is our number-one priority. As online scams proliferate on the Internet, we want to remind our users to be vigilant in protecting their Salesforce user names and passwords.

If you have any concerns or doubts about an email that appears to be from salesforce.com, please forward the email to us at security@salesforce.com.

Quick Links:

Security Alert: New Malware Threat
Beware of Fraudulent Emails (Phishing)
Salesforce Login Page
Protect Your Password 
 

01/07 Security Alert: New Malware Threat

Several customers have reported receiving a bogus "Identity Confirmation" email that tells them to install an attached file. This is a new malware (malicious software) attack. Here is a sample of the email:


New Security Feature: Identity Confirmation

To further protect our customers from security threats stemming from phishing attempts, salesforce.com will be implementing "Identity Confirmation." This set of security features is triggered when users attempt to login to Salesforce from a different computer and from an unrecognized location for the first time. Please download and install the security update attached to this email.


These attachments have various names including "form.zip" and "UpdateIElink.zip". We are currently analyzing these attachments, but customers should assume that this malware will compromise their PC with a keylogger that will collect passwords to online systems, including banks, credit agencies, and Salesforce.

This email is an attempt to mimic the notice that the Salesforce system sends automatically when the Identity Confirmation feature is triggered by a user logging in from a changed location or PC. The email tells the user to install the attached file.

NOTE: the Salesforce Identity confirmation feature ALWAYS sends a link that leads to a secure salesforce.com domain, for example, https://na5.salesforce.com/_nc_external/system/security/ChallengeValidate...". The Identity Confirmation token is never sent as an attachment.

The salesforce.com service will NEVER email you a file attachment with instructions to "download and install." Any emails of this nature should be considered malicious

User must not open this attachment--they should delete the email and attachment immediately.

If a user has installed this attachment on his system, that system should be disconnected from the network immediately. (It may take up to 72 hours for the major anti-virus utility vendors to update their signatures to uninstall this malware.) Compromised users should change passwords for all computing systems to which they have access, including Salesforce, banking, credit, email, and company systems

 

 

11/09 Security Alert: New Malware Threat

We need to call your attention to a new malware threat that we have detected. This threat is in addition to the ones we described in a previous communication.

How the malware causes damage
When the email recipient opens a link or attachment, a malicious code kit is installed. The code kit sets up an Apache web server with the target's IP address. That Apache server can then use the email recipient's credentials to run reports designed to find more contact information and then send it back to the phisher.

Identifying the threat
The emails always contain the recipient's correct first, last, and company names. The subject lines that they appear under include:
  • New security measures added for <name>
  • Tax Avoidance Scheme Complaint <name>
The senders include, but are not limited to:
Actions we are taking
Salesforce employees have received these emails, so we are taking a number of internal steps, including:
  • Reinforcing key security message: Never open attachments or links from anyone you do not know.
  • Removing Admin privileges from all PCs
  • Restricting software installation procedures so that IT has to authorize the addition of any new program.
  • Considering the quarantine of all attachments and links coming in to our email system.
 
Our Recommendations to you
We recommend that you:
  • Immediately warn end-users about this threat.
  • Work with anti-virus and security vendors to make sure your infrastructure is up to date
  • Restrict software installation privileges and admin access to PCs
  • Review and restrict access to Salesforce data in your profiles
 

 

11/06 Security Alert: DO NOT OPEN "We want to make a order with…" email.

Salesforce users among those being targeted by new malicious "We want to make a order with…" email. Please notify your security team immediately.


We have received reports from customers of a malicious email. This was a bogus email from multiple email addresses with a subject line that begins "We want to make a order with…" This email should not be opened, and any users that have inadvertently opened it should cease use of their machines until your security department can further evaluate.

View sample bogus email

Report any suspicious emails to security@salesforce.com.

Phishing and malware are on the rise, but every customer can take a few critical steps to help fend off threats. Salesforce.com offers many technologies for improving your security. Salesforce.com strongly recommends your security team contact us for a security review. To schedule this review, please send an email to security@salesforce.com.

Thanks,

Security Team at Salesforce.com

 

10/29 Security Alert: DO NOT OPEN "FTC" email.

Salesforce users among those being targeted by new malicious "Federal Trade Commission" email. Please notify your security team immediately.

Today, many of our customers received a malicious email that was circulated broadly on the internet. This email was a bogus email from the "FTC's Fraud Department", and had a virus/malware attached which installs itself to a user's PC and logs keystrokes in an attempt to gain password or account access. This email should not be opened, and any users that have inadvertently opened it should cease use of their machines until your security department can further evaluate.

Here is a direct link to the FTC site with further information and updates: http://www.ftc.gov/opa/2007/10/bogus.shtm

Report any suspicious emails to security@salesforce.com.

Phishing and malware are on the rise, but every customer can take a few critical steps to help fend off threats. Salesforce.com offers many technologies for improving your security. After you address the "FTC" email issue, salesforce.com strongly recommends your security team contact us for a security review. To schedule this review, please send an email to security@salesforce.com.

Thanks,

Security Team at Salesforce.com

 

Beware of Fraudulent Emails (Phishing)


warning Email fraud is an increasingly common danger for unsuspecting online consumers and business users today.


One of the most popular scams is the growing practice of "phishing." With phishing, the perpetrator uses email to lure you to fake Web sites (designed to look legitimate), where you're asked to disclose confidential personal information, like your Salesforce user name and password.

Phishing scams are becoming more sophisticated and sometimes even include a phone component. In this latest twist, criminals include a telephone number in their emails rather than a Web site address. When a victim calls the number, a person or an automated system asks for your personal and/or account information.


Salesforce.com will never contact you by email or phone asking you to reveal your user name and password.

If you receive a suspicious email or phone call asking for this or other sensitive information about your account, contact us at security@salesforce.com.


You can protect yourself against phishing attacks by learning to identify suspicious emails.

Be suspicious of emails that use urgent requests or scare tactics to entice you to respond. Contact us at security@salesforce.com if you doubt the authenticity of an email that appears to come from salesforce.com.

  • Be wary even if the email or site uses some of salesforce.com's images and logos. Many fraudulent sites use copyrighted images taken from the Web.
  • Never enter confidential information into forms embedded within email messages.
  • Do not respond to email requests for passwords, credit card numbers, or other sensitive data. Salesforce.com and other legitimate companies never request private data via email (or phone).
  • Never open attachments sent to you by someone you don't know.

 

Salesforce Login Page


Spoofing is the practice of setting up a Web site that parodies a legitimate site for the specific purpose of deceiving people into providing confidential information. These sites are typically accessed by an embedded link in an email and often request user IDs and passwords. You can avoid becoming a victim of online fraud by always logging in to Salesforce through our secure site.

  • Be suspicious of emails that include links to the Salesforce log-in page.
  • If you are not sure that the page you clicked to is the legitimate Salesforce log-in page, launch a new browser and get to the page by either typing:
  • Log in to your Force.com Sandbox environment only at the following secure site: https://test.salesforce.com/login.jsp
  • Log in to the Winter '08 Pre Release environment only at the following secure site: https://prerelwww.pre.salesforce.com/login.jsp
  • Look for the "lock" icon in the bottom-right corner of your browser to ensure you have a secure connection to our site.

 

Protect Your Password


lock If using a public computer or terminal, always log out when you complete an online session. Keep your passwords private. Remember, anyone who knows your password may access your Salesforce account.
  • Avoid using the same password for multiple online accounts.
  • Never share your password with anyone ever.
  • Never reply to an email requesting your user name, password, or other sensitive information.
  • Use a unique password for each online account.
  • Use a strong password of at least eight characters that would be difficult to guess, even for someone who knows you well.
  • Use a combination of uppercase and lowercase letters, numbers, and symbols, and avoid using words from the dictionary.
  • Change your password frequently.