Customers are offered instructions for strengthening security

Sep 9, 2014 11:20 GMT  ·  By

Cloud-based CRM provider Salesforce determined through one of their security partners that Dyre Trojan, also known as Dyreza, may now take aim at their customers.

The company did not find any evidence that any of its customers was impacted by the banking malware, but late Friday, they took the precaution to alert them about the threat, urging them to make sure that their systems were properly protected against the Dyre Trojan.

Malware relies on phishing attack vector

Dyre is a relatively new Trojan created to steal banking credentials through man-in-the-middle attacks that can bypass the SSL security mechanism and view encrypted traffic, without alerting the victim.

Researchers have found that the malware is now targeting Salesforce login credentials by directing the owners of infected machines to a phishing website impersonating Salesforce. All content entered in the form fields is then sent automatically to the cybercriminals.

The initial infection is done through social engineering, generally perpetrated by sending an email containing a malicious attachment.

Salesforce systems not compromised

In the email sent to its users, the company says that the attackers did not take advantage of a vulnerability on their end. Instead, they target the customers and try to steal the login credentials to the cloud-based platform.

Jerome Segura of Malwarebytes says that businesses rely more and more on third-party software providers because it’s a cheaper option that takes some of the work off their shoulders.

“This type of attack could mean there might be a new trend on the horizon, one that goes after Software as a Service (SaaS) users,” he writes in a blog post.

Dyre/Dyreza modus operandi

The malware was first uncovered by researchers at PhishMe and from CSIS Security Group. At that time, they said that the threat relied on man-in-the-middle attacks to capture network traffic to secure web addresses, such as online banking.

“By using a sleight of hand, the attackers make it appear that you’re still on the website and working as HTTPS. In reality your traffic is redirected to the attackers page,” said Phishme security researcher Ronnie Tokazowski.

According to the analysis from CSIS, Dyre Trojan is delivered to the victims mostly through spam campaigns, but it can also reach its target via phishing.

Several banks have been targeted by the malware, including Bank of America, Citigroup, the Royal Bank of Scotland, Ulsterbank, and Natwest.

In order to protect themselves against the malware, Salesforce recommends its customers to activate IP range restrictions so that only connections from the corporate network or VPN are accepted.

Enabling two-factor authentication (2FA) is also a good security measure to ensure that the login is not done from an unknown source.