Trojan Malware Infecting Salesforce Clients

Trojan Malware Infecting Salesforce ClientsA warning from Jeff Cozza of NewsFactor to cloud platform, and especially Salesforce users: the “Dyre” or “Dyreza” Trojan Malware has been infecting Salesforce users’ systems in order to seal users’ log in credentials. The new virus, detected by a Salesforce security partner on September 3, appears to be a threat not only to Salesforce users, however, but any cloud platform that relies on only a username and password to access.

The Dyre Malware is a specific type of Trojan called a “remote access Trojan,” which means it can bypass SSL encryption in order to steal your log in creds, usually after a successful Phishing attack, where an unsuspecting user clicks on a link inside an innocuous looking email. It then proceeds to steal business data from those accessed accounts. Dyre, another iteration of the Zeus Trojan, began its life  by going after users of financial institutions like Bank of America, Citbank, NatWest, RBS and Ulster Bank in order to steal their cash. It has now spread beyond the world of Finance, and appears to be an attempt to steal corporate data on a massive scale.

To be fair, NewsFactor notes that this is not the first time Salesforce has been targeted:

in February, the customer relationship management system provider was targeted by yet another Zeus variant that managed to steal corporate data through a user who had logged onto the service through an infected system.

A pretty similar story to what is happening now, although it is obvious Salesforce is not yet sure of the scope of the problem, despite the usual protestations of not being aware of any customer impact. The Cloud CRM company has therefore asked its users to take the following precautions:

activate IP Range Restrictions to allow users to access the Salesforce site only from clients’ corporate networks or VPNs, use SMS Identity Confirmation to add an extra layer of log-in protection when Salesforce credentials are used from an unknown source, implement the company’s 2-step verification process, which is available as an app via the iTunes App Store or Google Play for Android devices, and leverage SAML authentication capabilities to require that all authentication attempts be sourced from client networks.

Salesforce also recommended that users make sure their anti-malware solution can detect Dyre and to add the Trojan’s signature to your anti-virus software. Of course, if you are a Salesforce client and believe you’ve been hacked, Salesforce asks that you also immediately contact Salesforce’s security support team.

For NewsFactor article which discusses this cyber security threat, click here.

Doug Atkinson
Follow Doug