Blog

Dreamforce 2012 Phishing Scam

0

We’ve just received an email from the security team over at salesforce warning about a phishing email that’s currently in circulation. The email is disguised as coming from Salesforce.com and appears to be a “Dreamforce Exclusive Invitation” however should you click any of the links within this email you’ll be directed to sites containing malware.

The salesforce.com Trust Security page has been updated to include new information regarding a recent email phishing attack disguised as a “Dreamforce Exclusive Invitation.”

Note: If you have received one of these emails DO NOT click any of the links or reply.

Additional information has been posted to http://trust.salesforce.com/trust/security/threats/#phishing.

Should you receive this email we recommend that you delete it immediately and notify any of your colleagues who may be aware of the Dreamforce event.

Technical Details

Purported Sender
Salesforce.com [[email protected] or [email protected]]
Email Subject
Subject: Dream Force – Exclusive Invitation
Subject: You’ve made a payment online

Malicious, non-salesforce.com links the email directs recipients to:
The body of the email has links to sites not owned or operated by salesforce.com:
hxxp://blechvet.de/81shTho6/index.html
hxxp://blechvet.de/7PEspcVW/index.html
hxxp://agrobestgrup.com/Ftv8Ldf4/index.html
hxxp://agrobestgrup.com/bdn0tts8/index.html
hxxp://bottegangeli.com/1ctisbx4/index.html

Description of Exploit
This page hosts a variant of the Blackhole Exploit Kit, with exploits vulnerabilities in a number of client applications, including Web browsers, Adobe Flash, and Java. This exploit kit can deliver payloads that enable unauthorized third parties to execute arbitrary commands on the compromised system.

We are working with the responsible ISPs to take these pages offline. As of 11:00 AM PDT August 8, 2012, most of these pages have been taken offline. Be aware that these unauthorized third parties may repost this phishing attempt (or a slightly different version) elsewhere.

Defensive Action
DO NOT click on the link to go to the page; delete the email immediately. If you suspect that a system has been compromised by this attack, immediately disconnect it from your network and run an anti-virus or anti-spyware utility.

Using a known safe PC, login to all online accounts you suspect may be compromised and change passwords. Review Salesforce best practices on http://trust.salesforce.com/trust/security/best_practices/.
Inform your organization’s Salesforce users about this attack and these precautions.
We recommend that customer IT personnel block the email in spam filters and filter the URL at your network perimeter.