Salesforce users hit with malware-based targeted attack

Late last Friday, global cloud-based CRM provider Salesforce has sent out a warning to its account administrators about its customers being targeted by the Dyreza malware.

“On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users,” the alert said. “We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance.”

Dyreza is a whole new banking trojan family, which was first spotted earlier this year targeting customers of US and UK banks.

“The code is designed to work similar to ZeuS and as most online banking threats it supports browser hooking for Internet Explorer, Chrome and Firefox and harvests data at any point an infected user connects to the targets specified in the malware,” CSIS researcher Peter Kruse shared at the time.

The malware effectively performs a Man-in-the-Middle attack and, in this case, intercepts the information submitted by users – username, password, and even their two-factor authentication token – by redirecting them to a spoofed Salesforce login page.

The company does not mention how the malware infects the targets’ computer, but if past approaches are any indication, users are targeted with phishing emails carrying or linking to the malware, which masquerades as a legitimate application.

Salesforce has instructed account administrators to check with their IT security team it the AV solution they use is capable of detecting the Dyre malware, and to contact them if they believe they have already been infected.

They also advised them to leverage security capabilities of the Salesforce Platform:

  • Activate IP Range Restrictions to allow users to access salesforce.com only from your corporate network or VPN
  • Use SMS Identity Confirmation to add an extra layer of login protection when salesforce credentials are used from an unknown source
  • Implement Salesforce#, which provides an additional layer of security with 2-step verification. The app is available via the iTunes App Store or via Google Play for Android devices.
  • Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network.