Attackers are targeting Salesforce users with malicious emails designed to trick victims into downloading the Dyreza malware onto their computers, the software-as-a-service giant warned customers earlier this week.

Salesforce said it was not aware of any customers who have been affected by the attacks. The attackers have not compromised Salesforce systems.

The attacks typically utilize social engineering tactics to trick users into clicking on a website link in an email. The site then downloads Dyreza onto the victim’s computer. The malware hooks into the browser and intercepts all the information users enter on websites, such as account credentials on login screens and other data on Web forms. Since Dyreza diverts user traffic to the remote server, the malware can also intercept two-factor authentication values as well.

Dyreza has been implicated in past attacks against financial institutions, such as the recent attempt to steal user credentials from JPMorgan Chase employees. However, Dyreza (or Dyre as some security companies call it), is not a variant of Zeus or other banking Trojans.

Some security experts suggested the attackers were shifting tactics from financial fraud to just looking for any kind of corporate data. “Data is the new gold and attackers are looking to get to the crown jewels and many companies store critical sales and business information in Salesforce,” said Eric Chiu, president and co-founder of cloud control company HyTrust.

Other experts said it was more likely that attackers were planning on monetizing user credentials, such as by selling them on underground markets. “While similar commoditized malware has been used for ‘corporate espionage’ in the past, in this case it is more likely that the targeting of Salesforce credentials is instead an attempt to collect corporate credentials for financial gain,” iSIGHT Partners said via email.

Salesforce outlined suggestions on mitigating the risks associated with this attack on its website. Administrators can restrict IP addresses so that only users from the corporate network, or via the virtual private network (VPN) are allowed to log in to Salesforce. This step would block Dyreza since Salesforce would reject attempts to access the system from other servers.

Leave a Reply