Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Dyre Malware Targeting Salesforce User Credentials

In an advisory sent to Salesforce Account administrators late Friday, the largest provider of cloud-based CRM solutions warned that its customers are being targeted by key-logging malware known as Dyre.

In an advisory sent to Salesforce Account administrators late Friday, the largest provider of cloud-based CRM solutions warned that its customers are being targeted by key-logging malware known as Dyre.

“On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users,” the company warned.

Dyre, which is able to circumvent the SSL mechanism of web browsers, was first detailed by PhishMe in June 2014 after being spotted in an attack targeting online banking credentials.

Salesforce said it had not yet seen any evidence that any of its customers have been impacted by the malware.

“If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance,” Salesforce said. 

Late last month, security researchers from Proofpoint discovered a large-scale phishing campaign targeting JPMorgan Chase customers that leveraged the RIG exploit kit and the Dyre Trojan. According to VirusTotal, the version of Dyre used in the attack was not detected by any of the leading antivirus providers at the time of the attack, Proofpoint said.

In addition to ensuring that anti-malware solutions are capable of detecting the Dyre malware, recommends that customers leverage the following security capabilities of the Salesforce Platform to lockdown their applications:

• Activate IP Range Restrictions to allow users to access only from your corporate network or VPN

• Use SMS Identity Confirmation to add an extra layer of login protection when salesforce credentials are used from an unknown source

• Implement Salesforce#, which provides an additional layer of security with 2-step verification. The app is available via the iTunes App Store or via Google Play for Android devices.

• Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network.

In February, researchers from Adallom, a SaaS security company, discovered a variant of the Zeus Trojan that targets users.

While online banking websites are still the focus of most of the cyber attack campaigns, attackers are also targeting different institutions and business applications, including corporate finance and providers of corporate payroll services, stock trading, social networking, email services, mail delivery services, employment portals, entertainment and dating portals.

When it comes to the use of SaaS applications, companies should assume that the user devices are compromised and deploy relevant security controls for better detection and prevention capabilities, Adallom has suggested.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.