'Dyre' malware goes after Salesforce users

‘Dyre’ malware goes after Salesforce users

San Francisco-based company Salesforce well-known for its cloud-based Customer Relationship Management (CRM) software, emailed a security advisory to its customers, late Friday,

Subject: Malware Targeting Salesforce Users Date: 9/5/2014 10:40 PM From: salesforce.com

A copy of the email sent by Salesforce (click to enlarge).

The threat known as Dyre was originally spotted by security firm CSIS and by PhishMe which also had uncovered the new malware earlier in June.

Back then, the threat was aimed at banks and other financial institutions, something very reminiscent of other banking Trojans such as Zeus and its variants.

But researchers discovered that the malware is now capable of capturing login credentials from Salesforce users by redirecting them through a phishing website.

Dyre will initially infect users through some form of social-engineering, typically with an email that contains a malicious attachment. Once on the system, the malware can act as a man-in-the-middle and intercept every single keystroke. To be clear, this is not a vulnerability with Salesforce or its website, but rather a type of malware that leverages compromised end-point machines.


Malwarebytes Anti-Malware detecting the Dyre malware (click to enlarge).

This type of attack could be mean there might be a new trend on the horizon, one that goes after Software as a Service (SaaS) users.

Businesses increasingly rely on third-party software providers for their needs because it can be a cheaper option without all the headaches of doing it yourself. For example, instead of managing their own email server, companies will use Office365 or similar cloud-based email solutions.

Banking credentials are still the bread-and-butter for the majority of cyber-crooks because they can be immediately used. But the data harvested from many SaaS applications also holds a tremendous value for those willing to invest the time to dig in and find bits of information that could lead to a large compromise in a top-tier business.

There is no silver bullet to defend against these threats but once again a healthy balance of end-user education about phishing scams and proper end-point security solutions will go a long way.

Data exfiltration is one the most important issues of 2014 with a growing number of businesses being affected.

The effects on companies’ brands and trust of their customers can be very damaging and long lasting, not to mention the potential lawsuits that often follow.



Jérôme Segura

Principal Threat Researcher