Security Experts:

Dyre Malware Targeting Salesforce User Credentials

In an advisory sent to Salesforce Account administrators late Friday, the largest provider of cloud-based CRM solutions warned that its customers are being targeted by key-logging malware known as Dyre.

“On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users,” the company warned.

Dyre, which is able to circumvent the SSL mechanism of web browsers, was first detailed by PhishMe in June 2014 after being spotted in an attack targeting online banking credentials.

Salesforce said it had not yet seen any evidence that any of its customers have been impacted by the malware.

“If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance,” Salesforce said. 

Late last month, security researchers from Proofpoint discovered a large-scale phishing campaign targeting JPMorgan Chase customers that leveraged the RIG exploit kit and the Dyre Trojan. According to VirusTotal, the version of Dyre used in the attack was not detected by any of the leading antivirus providers at the time of the attack, Proofpoint said.

In addition to ensuring that anti-malware solutions are capable of detecting the Dyre malware, Salesforce.com recommends that customers leverage the following security capabilities of the Salesforce Platform to lockdown their applications:

• Activate IP Range Restrictions to allow users to access salesforce.com only from your corporate network or VPN

• Use SMS Identity Confirmation to add an extra layer of login protection when salesforce credentials are used from an unknown source

• Implement Salesforce#, which provides an additional layer of security with 2-step verification. The app is available via the iTunes App Store or via Google Play for Android devices.

• Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network.

In February, researchers from Adallom, a SaaS security company, discovered a variant of the Zeus Trojan that targets Salesforce.com users.

While online banking websites are still the focus of most of the cyber attack campaigns, attackers are also targeting different institutions and business applications, including corporate finance and providers of corporate payroll services, stock trading, social networking, email services, mail delivery services, employment portals, entertainment and dating portals.

When it comes to the use of SaaS applications, companies should assume that the user devices are compromised and deploy relevant security controls for better detection and prevention capabilities, Adallom has suggested.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.