The Channel logo


By | Iain Thomson 8th September 2014 23:13

Salesforce: Oh no! Dyre RATs are thirsty for our customers' logins

But attacks weren't the cause of server outage, we're told

Salesforce has warned that miscreants are trying to infect its customers with a remote access trojan (RAT) dubbed Dyre that siphons off login data.

"On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users," an advisory states.

"We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance."

The advisory points out, correctly, that this isn't a flaw in Salesforce's software per se, but that the malware, which had previously targeted online banking, is now being used against the cloudy CRM firm's customers. Once it's installed on a Windows PC, usually via a phishing attack, the software nasty then looks out for data sent from web browsers – even SSL-encrypted data – and siphons it off to its masters.

Salesforce recommends users make sure malware's signature is added to antivirus software and that IT admins restrict the range of IP addresses users can log into Salesforce servers from. Adding two-factor authentication is also suggested.

Sources familiar with the matter said that the malware was not a factor in the outage Salesforce suffered on Friday. That incident has now been resolved and Saleforce's status page now shows all instances working as they should.

What is curious about the warning is the motive for trying to get at Salesforce's customers using the Dyre malware. The sophisticated code, first discovered in June, tried to crack two-factor authentication and conduct man-in-the-middle attacks to hijack victims' accounts, but has almost exclusively targeted the lucrative banking sector.

It could be that persons unknown have bought a copy of the malware and are using it for a CRM-specific attack. If so that would be an unpleasant first for the firm, and one that could have very negative consequences for its image. ®

comment icon Read 2 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe