The Channel logo


By | Iain Thomson 8th September 2014 23:13

Salesforce: Oh no! Dyre RATs are thirsty for our customers' logins

But attacks weren't the cause of server outage, we're told

Salesforce has warned that miscreants are trying to infect its customers with a remote access trojan (RAT) dubbed Dyre that siphons off login data.

"On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users," an advisory states.

"We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance."

The advisory points out, correctly, that this isn't a flaw in Salesforce's software per se, but that the malware, which had previously targeted online banking, is now being used against the cloudy CRM firm's customers. Once it's installed on a Windows PC, usually via a phishing attack, the software nasty then looks out for data sent from web browsers – even SSL-encrypted data – and siphons it off to its masters.

Salesforce recommends users make sure malware's signature is added to antivirus software and that IT admins restrict the range of IP addresses users can log into Salesforce servers from. Adding two-factor authentication is also suggested.

Sources familiar with the matter said that the malware was not a factor in the outage Salesforce suffered on Friday. That incident has now been resolved and Saleforce's status page now shows all instances working as they should.

What is curious about the warning is the motive for trying to get at Salesforce's customers using the Dyre malware. The sophisticated code, first discovered in June, tried to crack two-factor authentication and conduct man-in-the-middle attacks to hijack victims' accounts, but has almost exclusively targeted the lucrative banking sector.

It could be that persons unknown have bought a copy of the malware and are using it for a CRM-specific attack. If so that would be an unpleasant first for the firm, and one that could have very negative consequences for its image. ®

comment icon Read 2 comments on this article or post a comment alert Send corrections


Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral


Locker room jocks photo via Shutterstock
Best locker-room strategy: Avoid emulating AWS directly
STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock