Threats

Users of online services are potential targets for attempts to steal login credentials and other sensitive information. These threats include scam emails (phishing and malware) and phone calls attempting to gather information that can be used to gain unauthorized access or privileged knowledge.

About Wireless Connection Sniffing and Hijacking

Salesforce provides SSL 3.0/TLS 1.0 encryption (https) for login and communications between the Salesforce application and the end user's web browser. This means that even when you login to Salesforce over an unsecured wireless network, your login credentials and business data are protected from hijacking by such tools as Firesheep.

Along with encrypted connections, Salesforce offers a suite of security features that our customers can configure to their needs, see: Salesforce Best Practices - http://www.trust.salesforce.com/trust/security/best_practices/

We also offer a free AppExchange tool that reviews and recommends improvements to your Salesforce security settings: Security Health Check - http://sites.force.com/appexchange/listingDetail?listingId=a0N300000018mjUEAQ


Phishing and Malware

Don't become a victim of "phishing," in which Internet criminals set up a Web site that mimics a legitimate site, such as the salesforce.com login page. By following the tips below, you can avoid becoming a victim of such a scam:

  • Always look for the "lock" icon in the bottom-right corner of your browser (see images below).
  • Be suspicious of emails that include links to the salesforce.com login page. Don't click on such links—instead, always log in to salesforce.com in one of two ways:
    1. (1) Enter "https:///www.salesforce.com/login.jsp" in the address field
    2. (2) Click the Customer Login tab from the salesforce.com home page (www.salesforce.com)
  • Log in to your Force.com sandbox environment only at the following secure site: https://test.salesforce.com/login.jsp.
trust.salesforce.com


Spot suspicious emails

Phishing emails try to trick you into revealing information, often by asking you to "verify" or "update" information. Such emails may use the logos of the companies or government agencies they are impersonating to look legitimate.

One clue is that such messages often contain poor spelling and grammar. However, as scam artists become more sophisticated, their approaches are becoming more varied and their messages are they claim to come from.

The example below shows some common phishing tactics, but expect anything - as users catch on to one approach, Internet criminals come up with new ones.

trust.salesforce.com
trust.salesforce.com "Dear Salesforce user ..." Be suspicious of any emails that don't address you by name and contain no other specific information. Such messages are often sent out in bulk, without any unique identifying information.
trust.salesforce.com "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please confirm your identity ..." Some emails claim you need to respond because your account's security has been compromised.
trust.salesforce.com "Verify your account ..." Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail.
trust.salesforce.com "If you don't respond within 48 hours, your account will be closed ..." or "Get your refund now..." One tactic is to convey a sense of urgency, to make people respond quickly without thinking.


Remember, legitimate businesses will not ask you for sensitive information via email. If you receive such emails, do not respond or click any links the email contains. Forward the mail to security@salesforce.com and then delete it.

Look out for suspicious links and attachments

Malicious software attacks also come via email, using many of the same tactics as phishing. These emails include links or attachments that install malicious code—such as programs that capture keystrokes—on your computer. As users have become wary of attachments with .exe or unknown extensions, Internet criminals are now using attachments with seemingly innocuous .doc or .pdf extensions. And most users still readily click on links.


trust.salesforce.com Beware of unusual links.
trust.salesforce.com Watch out for links that contain URLs that look similar to real ones; for example "www.salsforce.com" or "verify-salesforce.com".
trust.salesforce.com Even if a link looks OK, make sure by entering the company's URL in the in the address bar yourself. Phishers can make links look like they go to one place while taking you to another site.


trust.salesforce.com


Report Suspicious Email

If you receive a suspicious email that involves the salesforce.com brand, submit a report: https://trust.salesforce.com/trust/security/reportsecurityissue/

Suspicious phone calls

Several customers have reported receiving phone calls from persons who misrepresent themselves as employees or agents of salesforce.com. Some of these callers are attempting to steal your salesforce.com credentials - an illegal practice known as "social engineering".

Here's how it typically works:

  • A caller identifies companies that use salesforce.com by searching public job postings, etc.
  • The caller contacts the customer's main switchboard and asks for the person responsible for salesforce.com or the salesforce.com administrator. The caller may claim to offer a "new version of salesforce.com"
  • The caller asks for login credentials to "install improvements" or perform other activities in the customer's org.

What you need to do:

  • Remind your users that salesforce.com employees will not ask for usernames or passwords.
  • If one of your users betrays his or her login credentials, you should reset that person's password immediately and alert us: security@salesforce.com
  • If a caller identifies him or herself as a salesforce.com employee and you do not recognize his or her name, ask for a call-back number and email address. Then call our 1-800-NO-SOFTWARE (1-800-667-6389) number to verify whether the caller is a salesforce.com employee.

Security Advisories

August 28, 2012 - avast! AV false positive alert for Salesforce.com

Salesforce.com has received reports that the avast! antivirus client is incorrectly identifying a file on the Salesforce web site as a threat. Avast! is aware of this issue and has released an update (virus update 120828-2) that resolves it. You can also manually apply the update in one of the following ways:

  1. Download and apply the update file manually
    • Visit http://www.avast.com/download-update
    • Select the version of the avast! client installed on your system
    • An executable (vpsupd.exe) will be downloaded to your system.
    • Execute this file and follow the prompts to apply this update
  2. Download and apply the update via the avast! AV client

What does the avast! alert look like?

The following is displayed by the avast! client after loggin into salesforce.com:

Object: <Salesforce.com domain>/jslibrary/1345661737000/sfdc/main.js
Infection: JS:Blacole-AV [Trj]
Process: <Web browser executable>