Salesforce Warns Customers of Dyre Malware Attack

Trojans like Dyre, originally designed to steal data from online banking service users, are being repurposed to grab user credentials from other online services.

Enterprise software-as-a-service (SaaS) vendor is warning its customers about potential attacks from Dyre, a banking Trojan that steals user information and access credentials.

In a security alert posted on the Salesforce site, the company warned that it became aware of Dyre on Sept. 3, and the malware might now be targeting Salesforce customers.

"This is not a vulnerability within Salesforce," the company stated. "It is malware that resides on infected computer systems and is designed to steal user log-in credentials and resides on infected customer systems."

The Dyre malware is grabbing user credentials in order to access business information of organizations that use Salesforce SaaS offerings, Dana Tamir, director, Enterprise Market Research, at IBM Trusteer, told eWEEK.

"The use of the Dyre Trojan, which was primarily known as a banking Trojan, to target enterprise customers of the popular SaaS company is not surprising," Tamir said. "This is an emerging trend that we've been seeing over the last few years, but it is rapidly growing momentum."

Banking Trojans, originally designed to steal information from users of online banking services, are now being repurposed to steal information from other online services, she said.

Tamir isn't the only security expert that isn't surprised by the emergence of Dyre being used against Salesforce customers. Kevin Epstein, vice president, Infosecurity and Governance, at Proofpoint, told eWEEK that it is not at all surprising to see customers of large entities targeted by massive phishing campaigns and credential-stealing malware such as Dyre.

"Criminals pursue financially lucrative targets, and the large volumes of information stored in CRM systems are unquestionably valuable," Epstein said.

Epstein added that Dyre and other information-stealing malware seem likely to continue to be popular, in part, because of the fact that they enable additional attacks from the gathered information.

"For example, we've seen, not only the attacks mentions, but as recently as 24 hours later, on Sept 4th, [we saw] subsequent 'you have an invoice due' phishing attacks on targets likely listed in Salesforce, sent from compromised computers," Epstein said.


Tamir explained that Trojans like Dyre are typically disseminated using massive distribution methods.

"The use of massively distributed malware means that attackers don't need to spear-phish targets or design custom malware," Tamir said. "Instead, they use mass distribution techniques to infect as many PCs as possible."

She added that, according to IBM Trusteer research, on average, approximately one in five hundred machines worldwide is infected with massively distributed advanced persistent threat (APT) malware at any point in time. Additionally, Tamir noted that IBM Trusteer's Services team also reports that they discover such malware in practically every customer environment they work with.


For customers and other SaaS vendors, multiple steps can be taken to mitigate risk.

SaaS sites should ensure that they have the appropriate detection controls in place to catch suspicious log-ins for user accounts, Mat Gangwer, lead security consultant at Rook Security, told eWEEK. "They need to provide that level of assurance to customers so they know they are looking out for them," Gangwer said.

Tamir suggested that on the application side, organizations should apply stronger authentication controls, like two-factor authentication, which can reduce the risk of compromised user credentials.

Epstein said that users shouldn't click on links embedded in email. "If an email arrives claiming to be from a known Website, type that Website's home page directly into your browser, then navigate in appropriately," Epstein said. "Unknown Website? Avoid it."

Antivirus software can play a role to help detect and remove Dyre from impacted systems, though Tamir noted that users should be aware that advanced threats and APT malware are designed to evade detection by traditional antivirus solutions.

"In order to prevent being compromised, organizations should ensure their user machines are clean before they are allowed to access corporate SaaS applications," Tamir said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.