How Hackers Think & How it Relates to Salesforce - May 31, 2019

Blog - hackers and Salesforce Security w. Mike Smith

Taken from RevCult's Salesforce Security Series Webinar "How Hackers Think" featuring Mike Smith, Security Architect at Salesforce 

“Simply put, Roman Seleznev has harmed more victims and caused more financial loss than perhaps any other defendant that has appeared before the court...This prosecution is unprecedented.”

Those were the words of federal prosecutors’ sentencing memo at the conclusion of the trial of one of the most prolific and notorious credit card data hackers of this century, Roman Seleznev.  

The scope of Seleznev’s crimes is nothing short of staggering. Seleznev had made tens of millions of dollars for himself by defrauding more than 3,400 financial institutions of nearly $170 million, selling millions upon millions of credit card dumps on the black market to criminal groups.

The businesses that he hacked to steal those credit cards were forced to spend tens of thousands of dollars to fix their security. Many were also hit with fines of $5,000 to $30,000 for not complying with PCI standards for safeguarding credit card data. On top of that was the PR fallout. Customers left these businesses in droves when they learned that their credit card data had been unwittingly exposed, and at least one of those businesses had to declare bankruptcy.

How was Roman Seleznev able to inflict such extreme damage, and how does this affect how you should think about your Salesforce security?

How he did it - the Story of Roman Seleznev

Roman Seleznev managed this unprecedented feat from his home country of Russia by exploiting easy opportunities to get into unsecured computer systems. Such opportunities can actually be quite easy to find. Why? Because many businesses simply don’t have the knowledge to take proper precautions.  

Roman targeted lucrative and poorly-protected victims — businesses where credit cards were being swiped constantly. He found restaurants to be the perfect target. 

Using a rented server in a Virginia data center and some freely available scanning software, Roman scoured the internet for restaurant point-of-sale systems running Windows that had their network port 3389 exposed. This is the port many businesses leave open to give their IT service providers easy access to their computers via Remote Desktop. Unfortunately, this also gave Roman easy access to the credit card systems of unsuspecting restaurants.

Then, Roman would remote in himself and try to log in. He figured that if these restaurants were lax about port access, they were probably also using simple passwords that would be easy to crack. And he was right. (It didn’t help that IT providers were, unbelievably, using the same password to access multiple clients’ computers, a real security no-no.)

So Roman ran dumb, brute-force attacks — using a password “cheat sheet” and guessing the password over and over until a match was found — to access these restaurants’ computers as if he were sitting right in front of them. If they were running credit card software, Roman would install malware to scrape their credit card data and send it back to Russia.

Roman moved quickly. Typically, the cards he stole were sold and used for fraudulent purchases within two days of being scraped from his victims.

In a short time, Roman was able to steal and sell millions of credit cards. He kept doing it because, well, it was as easy as stealing the proverbial candy from the proverbial baby. He was able to fund quite a lavish lifestyle with his exploits — including fancy homes, flashy cars, and luxury vacations around the world.

But, Roman’s hacking escapades were not to last. He was leaving a trail — and that trail would eventually lead to his capture. 

That trail got hot in 2010, when a Schlotzsky's Deli location in Idaho reported a credit card breach, and the Secret Service was brought in to investigate. They discovered that two point-of-sale registers at that location, running Microsoft Windows, had been infected with malware that was stealing data from swiped credit cards and sending it to a server in Russia. At first, it looked like the malware had been downloaded and installed manually by someone physically at the restaurant (it was later confirmed to be Roman installing it remotely).

Soon after, a call came in from the Boeing Employees Credit Union in Seattle, reporting a slew of fraudulent charges with a common purchase point: the Broadway Grill in Capitol Hill, Seattle. The Secret Service investigated and found that just as with Schlotzsky's, the Broadway Grill’s computers had been infected with credit card-stealing malware. This malware would copy huge tranches of swiped credit card data to clear text files and send them to the exact same server in Russia as the malware at Schlotzsky's. And just like before, the malware seemed to have been installed manually on-premise.

Around that same time, an Ohio man was arrested and his laptop seized. The Secret Service found a cache of stolen credit cards on it. Where had these cards been used before? You guessed it — that same Idaho Schlotzsky's deli location. A pattern was emerging.

The Ohio man had been communicating with a seller named “Track2” using ICQ chat software. Posing as a buyer, the Secret Service made contact with Track2 and learned that he used two websites to sell his stolen cards. Both sites were registered using Yahoo email accounts.

An investigation of these accounts revealed purchase transactions and a PayPal account, leading the Secret Service straight to Track2, a.k.a. Roman Seleznev.

It took some time, but U.S. investigators were able to catch up with Roman Seleznev while he was vacationing in the Maldives and, thanks to a special agreement with that country, were able to extradite Roman to the U.S. for trial. His laptop had 1.7 million stolen credit cards on it when they arrested him.

Because of the vast scale of his crimes and his unwillingness to cooperate, Roman received an unprecedented 27 years of jail time for his cyber crimes.

What’s the lesson here for us? Had these restaurants employed simple best practices — using complex and unique passwords, not leaving their Remote Desktop port open, and making sure to be PCI compliant (meeting standards required for accepting and storing credit card data) — then they would not have been Seleznev’s, or anyone’s victim. But, they made it easy to get hacked — attracting the attention of a greedy Seleznev.

That’s how a hacker thinks. Find the easy prey — the ones who don’t know better. 


What Roman Seleznev can teach us about securing Salesforce

Hackers are constantly looking for easy ways to get into your software platforms. Let’s see what Roman’s story can teach us, and the actions you can take to stop hackers from getting access to your Salesforce platform.

Salesforce security is everyone’s responsibility.

No system or IT team can fully safeguard your organization against the accidental mistakes users commonly commit which can leave you exposed to hacking. That’s why you must build it into your culture that security is the responsibility of everyone in the organization, not just the IT folks. At the same time, IT professionals have to realize that they are also IS professionals — that is, Information Security professionals. They have an extra burden of care to protect the data of their clients.  

When everyone in your organization has a security-first mindset, you’ll easily prevent the common vulnerabilities hackers will try to exploit to get into your Salesforce platform.


Threats/bad practices and how to mitigate them: 

Threats / bad practices

How to mitigate

Port open to public for Remote Desktop (no VPN/firewall)

With Salesforce, you don’t need to keep remote access open for your InfoSec team. Salesforce manages its infrastructure for you — with a robust IDS (Intrusion Detection System), and software patching — constantly monitoring for and installing security patches from software vendors in the Salesforce landscape.

Password re-use by IT consulting company and by your internal users

Train your people — NO PASSWORD REUSE. Get a password manager to create unique passwords for every login.

In Salesforce, go to “Password Policies” to enforce password history that requires users to use a new, unique password when changing passwords.

Usernames and passwords kept in clear text in a file on computer

Use a password manager.


Clicking on emails from hackers (“phishing” attacks)

Teach your users how to avoid phishing attacks — these are emails that look like they came from legitimate senders that trick users into clicking links that install malware.

Weak passwords

Require strong passwords. This makes it much harder for a brute-force attack to gain access. A password manager will also generate and store complex passwords for you.

In Salesforce, go to “Password Policies” to enforce password length and complexity requirements.

Lack of strong authentication on-premise (password only to Remote Desktop)

Use two-factor authentication (2FA) in Salesforce, which requires entry of a second, single-use, time-limited password with each attempt to login to Salesforce, to accurately verify the identity of the user. This alone could have stopped Seleznev from getting into a computer system.

Not controlling access to your platform

Salesforce lets you control what networks users can log in from, which users can have CRUD (create, read, update delete) access to data objects, and what fields different users can access based on their roles.

Lack of data field history visibility


Use Salesforce Field History Tracking to see how and when data has been changed by users. 

Rogue administrator behavior

Regularly review the “Setup Audit Trail” to log everything your administrators do, helping you identify and stop rogue behavior.

Bad user behavior

Use Salesforce Shield Event Monitoring to log who does what, when and where, helping you catch and prevent bad behavior.

Failed regulatory audits due to missing data history

Salesforce Shield Field Audit Trail lets you keep a full history of data inputs and changes going back up to ten years to meet the more stringent audit requirements of highly-regulated industries.

PCI compliance fines

Use Salesforce Shield Platform Encryption to ensure “encryption at rest” (encrypting data stored on servers) — a requirement of the PCI data security standard to protect credit cards.


Aligning your Salesforce to your Security Strategy

As you can see, Salesforce provides a secure platform out of the box, and Salesforce Shield goes a step further. Still, security is not a “set it and forget it” exercise. Human error, new software integrations, and custom code development without security in mind can open you up to vulnerabilities that go unnoticed until a breach happens. These are constant threats.

As Salesforce experts and custom developers themselves, RevCult has seen it all. Their comprehensive Salesforce Security Risk Assessment identifies risk and closes gaps to maintain alignment with your corporate security posture. As a company whose core function is to safeguard your Salesforce security, they are relentless about uncovering and solving potential platform vulnerabilities that can occur in any organization.  

RevCult can help you implement your security strategy faster and more accurately in Salesforce with their suite of products. 

Schedule a meeting with the RevCult team to see how leading-edge companies are ensuring Salesforce security.  

The Takeaway:

To keep your Salesforce platform secure, start thinking like a hacker. Identify all the easy holes hackers can exploit, and plug them with the simple best practices outlined above. That alone can stop the Roman Seleznevs of the world. 

But don’t stop there. No PaaS (Platform as a Service) — Salesforce included — is completely safe without diligent risk assessment and mitigation. Bad actors are watching all the time, waiting for us to get just a little too complacent…then they strike.  Don’t let them. Continuously reevaluate your configurations and ensure your Salesforce stays aligned to your Security posture.

RevCult’s services and products help companies keep their Salesforce platform secure, well into the future. Contact RevCult to learn more.

- Written by Guest Expert, Mike Smith (Security Architect at Salesforce) 

Topics: webinar, Security and Governance

Subscribe to the Blog