The company said in an open letter that it has discovered a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied.
The stolen data included first and last names, company names, email addresses, telephone numbers of salesforce.com customers, and related administrative data, according to the letter.
Customers on this list are now being bombarded with further targeted phishing attacks, some of which include viruses and key loggers, the company said.
A phishing attack comprises an email and web site mocked up to look like their legitimate corporate originals. Victims who fall for the attack unwittingly hand over usernames, passwords or other sensitive data to the bad guys.
Nowadays, phishing attacks can be highly automated, allowing people with little technical ability to conduct scams using cheap, pre-built phishing toolkits.
A Salesforce.com employee, who the company did not name, fell for one such scam, inadvertently giving out the customer database, which the phishers then started using to find further victims.
Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher, the company said in its letter.
A few days ago a new wave of phishing attempts that included attached malware – software that secretly installs viruses or key loggers – appeared and seemed to be targeted at a broader group of customers, the company said.
Salesforce said it is working to minimize the impact of these attacks through log monitoring, takedown notices for phishing sites, and re-educating its staff to the dangers of phishing.
The company will hold an online seminar this week to give tips to its customers on how to avoid falling for such scams.
