Salesforce customers targeted by malware

Customer relationship management giant Salesforce is warning its customers that they may be targeted by the new Dyre or Dyreza malware, which is designed to steal log-in credentials.

Dyreza spreads via phishing emails, with malware attachments that are activated via social engineering (convincing users to click on what otherwise appears to be a legitimate attachment).

Salesforce issued the security alert but claimed it has no evidence of any of its customers being affected by Dyreza and said that the malware does not represent a vulnerability within its platform.

The malware was discovered by security company PhishMe in June this year.

Danish security research firm CSIS noted that Dyreza works in a similar fashion to the older Zeus malware, and hooks into the Internet Explorer, Google Chrome and Mozilla Firefox web browsers for man in the middle (MITM) data harvesting.

Once activated, Dyreza is able to read traffic encrypted with secure sockets layer (SSL) and also attempts to bypass two-factor authentication.

Until now, Dyreza has been used in campaigns against banks such as Natwest, Citibank and RBS, and it is thought to be connected to Latvian criminals.

To mitigate against Dyreza attacks, Salesforce recommends that customers switch on several security capabilities in the CRM platform:

• Activate IP Range Restrictions to allow users to access salesforce.com only from your corporate network or VPN.
• Use SMS Identity Confirmation to add an extra layer of login protection when salesforce credentials are used from an unknown source.
• Implement Salesforce#, which provides an additional layer of security with 2-step verification. The app is available via the iTunes App Store or via Google Play for Android devices.
• Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network.

Salesforce also recommended customers and their IT teams to ensure their anti-malware solutions are able to detect Dyreza.