Blog :: Security Operations Hacked – Security Compromised

Back in 2007 it was reported that was hacked when their electronic security measures where compromised. What is surprising is that I could not find any theft reports from Salesforce since.

Considering that the customer information they store is a prime target and that the Security and Exchange Commission requires that thefts be reported publicly, I sort of assumed that they would have witnessed another theft in the last 7 years.  I guess the reason I find this a bit shocking is because the hacking strategies used today have evolved to be smarter and more targeted.

Stolen from

According to the Washington Post, back in 2007, a SunTrust customer had created an email address exclusively used for emails coming from  SunTrust.  One day the customer started receiving odd emails targeting the unique address.  The anonymous SunTrust customer reported the emails to SunTrust who a few weeks later reported:

“SunTrust spokesperson Hugh Suhr said the purloined data included the names, e-mail addresses and physical addresses for about 40,000 SunTrust customers. He said the customer list was stolen from a database held by, and that contact information for ADP customers also was lifted from Salesforce.”

The Washington Post went on to say that:
“’s Bruce Francis, the company’s vice president of corporate strategy, declined to say whether any customer-specific data was stolen, and refused to answer direct questions about the alleged incident, saying that doing so would not be in the best interests of its customers.”

Salesforce hacked

Bruce Francis, Chief Messaging Officer of

Don’t Be Quick To Blame Salesforce

According to Adallom Labs, many times it is the end users and not the SaaS that is targeted.  First, hackers use phishing attacks to infect end users who in many cases are working from home. Once the end users are infected, the malware patiently watches for connections to a * account.  Once the end user authenticates the computer with the cloud service, the malware can exercise its evil deeds.  It’s really quite ingenious.  These unwanted exfiltrations take advantage of the trust relationship that is legitimately established by passing traditional security measures and waiting for the user to connect to a specific web site.  When the theft happens and the end user finds out about it, they may blame a company like salesforce when really the breach was performed by the customers own employees!

How Do Hackers Break into Salesforce?

The phishing attack mentioned above often uses a variant of the Zeus trojan (W32/Zbot) to target Salesforce users. Once the machines are infected, the malware connections get past the most highly regarded security appliances listed in the Firewall Gartner Magic Quadrant.  In fact, Symantec calls Zeus “the king of bots” partly because it can easily circumvent all enterprise security controls.

Why Don’t Hackers Target Directly?

The security maintained at SaaS providers like Salesforce is likely to be much stronger than the security maintained by the remote employee who works at home.  And, the computer utilized by the remote employee is probably not maintained by the corporate IT department. Most enterprise SaaS providers, like, are highly secure organizations with state-of-the-art network security controls. Furthermore, the security responsibility of SaaS largely falls to the customer under the shared responsibility model. Unsurprisingly, users are the weakest link. Salesforce posted a page to help users become more aware of possible infections and how to avoid them.

Regardless of who is to blame, this is still theft.  I would think that would have to report it to the Security and Exchange Commission. The list of reports to the SEC is empty.

Salesforce Reports to the SEC

How To Detect a Zeus Trojan

As stated earlier, the difficult part of detecting malware like Zeus is that its signature passes right by all traditional security defenses. For this reason, we have to go about detecting Zeus Trojans a bit differently.  We need to monitor for odd behaviors and to do this, two approaches are often taken.

  • Configure your NetFlow or IPFIX capable devices to include the HTTP host or URL in their export.  Cisco AVC reporting supports this.  Setup the IPFIX or NetFlow analyzer to count the volume of flows created by each unique internal IP address to a specific SaaS domain such as  If a threshold is reached, a notification can be triggered.
  • Baseline the behaviors of your internal hosts.  If end systems start communicating in a way that is outside their normal behavior (i.e. baseline) or creating flows during odd times of the day, an event can be triggered.

The above still isn’t enough.  Some false positives will ensue.  For this reason, a properly implemented Threat Index can help moderate the potential risk of tail chasing. See: What is a Threat Index? Hacked – Security Compromised

If you hear that was hacked or that their security was somehow compromised, keep the information above in mind.  The SaaS is often times the most secure end of the connection.  It’s the end user or customer that is often the malwares best chance at compromising security and stealing information.  This is probably true for many SaaS deliverables.  Make sure your company has away to enforce security on end systems – especially the ones working remotely and definitely make sure that your company has a way of monitoring the connection behaviors of the remote users.