As reported by Information Week:

A Salesforce.com employee bit on the bait of a phisher, and now the Web-based CRM software provider is warning customers not to fall for the same cybercriminal tricks.

On its Trust.Salesforce.com Web site this week, Salesforce.com posted a “letter about security” to customers alerting them to be cautious of “phishing and malware scams on the Internet,” which are on “the rise.”

In fact, the company revealed that a Salesforce.com employee had been a recent victim of a phishing scam that tricked the worker into disclosing a password, providing the phisher with information on a customer contact list. That contact list information included “first and last names, company names, e-mail addresses, and telephone numbers for Salesforce.com customers and related administrative data” belonging to Salesforce.com, according to the letter.

The letter, which was signed by Salesforce.com executive VP Parker Harris, also revealed that “a small number” of Salesforce.com customer users subsequently have become victims of a phishing — being fooled into disclosing passwords after receiving “bogus e-mails that looked like a Salesforce.com invoice but were not.”

In addition, “a few days ago, a new wave of phishing attempts that included attached malware — software that secretly installs viruses or key loggers — appeared and seemed to be targeted at a broader group of customers,” the company disclosed in the notice.

“That’s why we warned our system administrators last week of this new, more malicious phish and why we are sending this letter now with the goal of increasing awareness.”

The incident brings to mind that we must all be wary and take precautions. As always, Privacy Maven recommends the helpful resources of the Anti-Phishing Working Group to stay apprised of current phishing scams.

Yahoo Inc. announced that it is working with eBay Inc. to prevent phishing emails from reaching Yahoo mail recipients:

Yahoo Inc, is working with auction leader eBay Inc and its PayPal payments unit to block fake e-mails to users purporting to be from eBay and PayPal, hoping to spur on an industry that has been slow to fight the scourge of so-called phishing attacks.

EBay and PayPal have upgraded their computer systems to support an emerging technology standard known as DomainKeys invented by Yahoo that authenticates e-mail senders are who they say they are, allowing Yahoo to block fake e-mails.

he technology upgrade will be made available to Yahoo Mail users worldwide over the next several weeks, the company said.

“It is a big step forward for consumers in defence against the bad guys,” John Kremer, vice president of Yahoo Mail, said in a phone interview.

Along with banks and pharmaceutical makers, eBay and PayPal are among the brands most targeted by phishers seeking to trick consumers into divulging personal information such as credit card or password data in order to commit financial fraud.

Privacy Maven continues to recommend the helpful resources of the Anti-Phishing Working Group.

Also illuminating is this video showing real-time access of a PayPal phishing site and demonstrating how phishing scam victims unknowingy reveal their credit card and account access information.

The confidential information of 1,200 eBay members wound up on a public discussion board:

The perpetrator of the data disclosure on about 1,200 eBay members didn’t hack into eBay systems, spokeswoman Nichola Sharpe said in an e-mail interview, reiterating an assurance eBay made when the incident happened on Tuesday.

eBay is working with law enforcement to take action against the fraudster, she said, while declining to answer whether the person has been identified or caught. Because the situation is delicate, eBay can’t fully disclose the information it has gathered, she said.

Sharpe also defended eBay’s reaction to the incident, in which a malicious user posted members’ information like names, addresses, user IDs and, apparently, credit card numbers on the company’s Trust & Safety discussion forum.

In a discussion forum thread, some eBay members have criticized the vendor for, in their view, taking too long in shutting down the forum used by the fraudster.

eBay took the Trust & Safety forum offline about an hour after the fraudster began posting the confidential data.

Phishing is a constant threat for any online user and eBay and PayPal members are often recipients of phishing attempts. Here is a screen shot of a typical eBay phishing email:

As always, Privacy Maven recommends the helpful resources of the Anti-Phishing Working Group to stay apprised of current phishing scams.

The term “FriendStatus.com” appeared on Google Hot Trends for September 12, 2007 and yet there were no news reports. HitsUsa.com has written an analysis of FriendStatus.com and considers it a phishing scam targeting MySpace users:

This scam involves phishing people into giving their email and password to find out the private information, pictures, or video that are supposedly on the site. When you do, their scripts grab your email and password, then instantly login to MySpace and send fake bulletins to all your friends that do the same thing.

What people don’t realize is that the bulletin that brought you to FriendStatus.com is grabbing your MySpace information from your own profile and adding it to your version of the bulletin that you are looking at…

Related Posts:

• IRS Warns of New Phishing Scam
• Yahoo Working with eBay and PayPal to Protect Members from Phishing Emails
• Salesforce.com Employee Conned By Phisher, Reveals Company Database
• Megan Meier: MySpace, Manipulation, Betrayal and Suicide
• 1,200 eBay Members Were Victims of Phishing Scam, Not Data Breach, eBay Contends

]]> http://www.privacymaven.com/friendstatuscom-phishing-scam-targets-myspace-users.html/feed 0