Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Dyre Malware Targeting Salesforce User Credentials

In an advisory sent to Salesforce Account administrators late Friday, the largest provider of cloud-based CRM solutions warned that its customers are being targeted by key-logging malware known as Dyre.

In an advisory sent to Salesforce Account administrators late Friday, the largest provider of cloud-based CRM solutions warned that its customers are being targeted by key-logging malware known as Dyre.

“On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users,” the company warned.

Dyre, which is able to circumvent the SSL mechanism of web browsers, was first detailed by PhishMe in June 2014 after being spotted in an attack targeting online banking credentials.

Salesforce said it had not yet seen any evidence that any of its customers have been impacted by the malware.

“If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance,” Salesforce said. 

Late last month, security researchers from Proofpoint discovered a large-scale phishing campaign targeting JPMorgan Chase customers that leveraged the RIG exploit kit and the Dyre Trojan. According to VirusTotal, the version of Dyre used in the attack was not detected by any of the leading antivirus providers at the time of the attack, Proofpoint said.

In addition to ensuring that anti-malware solutions are capable of detecting the Dyre malware, Salesforce.com recommends that customers leverage the following security capabilities of the Salesforce Platform to lockdown their applications:

• Activate IP Range Restrictions to allow users to access salesforce.com only from your corporate network or VPN

Advertisement. Scroll to continue reading.

• Use SMS Identity Confirmation to add an extra layer of login protection when salesforce credentials are used from an unknown source

• Implement Salesforce#, which provides an additional layer of security with 2-step verification. The app is available via the iTunes App Store or via Google Play for Android devices.

• Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network.

In February, researchers from Adallom, a SaaS security company, discovered a variant of the Zeus Trojan that targets Salesforce.com users.

While online banking websites are still the focus of most of the cyber attack campaigns, attackers are also targeting different institutions and business applications, including corporate finance and providers of corporate payroll services, stock trading, social networking, email services, mail delivery services, employment portals, entertainment and dating portals.

When it comes to the use of SaaS applications, companies should assume that the user devices are compromised and deploy relevant security controls for better detection and prevention capabilities, Adallom has suggested.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.