Why hackers love the buzz around Dreamforce 2012

Dreamforce 2012, the flagship event from Salesforce starts in San Francisco’s landmark Moscone Center on the 18th of September. This event last year attracted 45,000 delegates (an additional 35,000 joined online) trying to get into the several main and overflow halls to learn about latest trends in cloud services. In 2012, the event is expected to attract over 60,000 delegates making it one of the largest technology events of its kind.

There are several reasons for delegates to attend this event, e.g. keynotes, sessions, expo, after event parties, give-aways etc. Major contribution comes from the way Salesforce promotes the event. There are early registration discounts, partner discounts, promotion codes, complimentary groups (e.g. linked users get free pass options) etc. Once you register there are several emails from the event organizers and partners which come your way, e.g. announcements, agenda updates, partner events etc. Needless to say there are IoS and Android apps for the event. “Experienced” delegates know that interesting sessions and parties get filled up soon, as most of them need pre-registration. Which means one needs to react immediately and register as soon as an update email from Salesforce comes in.

This excitement and buzz, is a must-not miss opportunity for hackers to use phishing techniques for general and targeted attacks. The Salesforce security team recently released information about a phishing attack disguised as an “Exclusive Dreamforce invitation”. The email has links to non-Salesforce websites hosting a variant of the Blackhole exploit kit, with exploits vulnerabilities in a number of client applications, including Web browsers, Adobe Flash, and Java. This exploit kit can deliver payloads that enable unauthorized third parties to execute arbitrary commands on the compromised system. With a zero-day vulnerability in Java, which is open without a patch by Oracle yet, further elevates the threat profile of the attack.

This phishing attack, scores high on the vectors which an attacker is looking for:

  1. Expected: Since the big event is approaching, this email is expected.
  2. Time sensitive: Recipients know they need to respond immediately to avail the special offers. Doesn’t leave them time to verify authenticity of the email.
  3. Multi-device: The email can be responded to from any device, including a mobile device. Chances of missing obvious clues are high.
  4. No feedback: Recipients don’t expect a response once they perform the action mentioned in the email, so no closed loop verification.

Protection from such an attack would need several controls to work at different levels. Spam filters could block suspicious emails, web filters can stop users from visiting suspected websites, anti-malware tools could stop exploit kit installation etc. No control however is more important than users being diligent about emails they are opening and processing. The “human firewall” also called the “weakest link” makes several technology controls ineffective if its not educated, aware and diligent.

The threat vector of such an attack can be further elevated if the attacker uses cloud services based attacks to specific users. E.g. sending Salesforce CRM based phishing attacks to Salesforce users. The additional vector, which gets added is:

  1. Targets identifiable: Cloud services users expect emails from cloud service providers and would not be able to spot look-alike malicious websites.  Its not difficult to find user organizations / customers of cloud service providers. Every vendor and their partners name customers on their websites. Case studies even reveal the specific products or services they use.

Phishing attacks are growing and mutilating at a rapid pace, strengthening the human firewall is key to protect organizations and business.