Salesforce.com users are being targeted by a new version of a computer Trojan that has typically attacked online banking customers until now.
The malware threat is called Dyre or Dyreza and came to light in June. Like most online banking Trojans, it hooks the browser process to capture log-in credentials entered by users on websites belonging to financial institutions.
The original Dyre version found in June by researchers from PhishMe and CSIS Security Group targeted the sites of Bank of America, NatWest, Citibank, RBS and Ulsterbank. However, it appears the program’s creators have recently added Salesforce.com to the list.
“On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users,” Salesforce said in a security advisory published on its website.
“We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation,” the company said. “If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance.”
Salesforce advised customers to use the platform’s IP range restriction feature to allow access to accounts only from trusted corporate networks and VPNs. Enabling two-factor authentication via the Salesforce# mobile app and turning on SMS-based identity confirmation for log-in attempts from unknown sources is also recommended.
Dyreza is not the first malware program to target Salesforce. In February, researchers from a security firm called Adallom found a variant of the well-known Zeus Trojan that had been modified to scrape business data from compromised Salesforce accounts.
“This alert is yet another in a growing number of wakeup calls for SaaS [Software-as-a-Service] adopters that you cannot rely exclusively on your SaaS provider to secure your data inside of their SaaS application,” the Adallom researchers said following the new Salesforce alert. “From the perspective of Salesforce.com, this is not a vulnerability within Salesforce since the malware resides on infected customer computer systems, and therefore only the affected customer is accountable for any data that is modified, exfiltrated, or deleted through this attack.”