Dyre banking password stealer pursues Salesforce credentials

A growing menace for online banking customers has turned its sights on Salesforce customers.

Dyre, a piece of malware known for pursuing banking credentials, looks to have recently added Salesforce credentials to its list of targets.

Also known as Dyreza and labelled Dyranges by Symantec, the Dyre malware was picked up by researchers this June. It was discovered that Dyre could bypass SSL, meant to protect HTTPS sessions, and steal credentials for a number of large banks.

An analysis by PhishMe in June found Dyre was targeting customers of Bank of America and Citibank, Natwest and RBS in the UK, and Ulster Bank in Ireland. However, last weekend Salesforce warned customers that it "may now also target some Salesforce users".

To net victims, Dyre's operators were luring UK targets into clicking links to malware contained in phishing emails. The links puportedly to lead victims to payroll data from UK software vendor Sage, according to PhishMe.

Danish security company CSIS also found fake invoice emails targeting UK victims. For US targets, the phishing emails posed as rejected federal tax payment notifications. Other examples of phishing emails leading to Dyre malware include messages pretending to be a fax from Epson.

Peter Kruse, eCrime specialist at CSIS, said that Dyre/Dyreza uses a technique known as "browser hooking" for Internet Explorer, Chrome, and Firefox. The malware harvests data at any point an infected user connects to a website specified in the malware, he added.

Kruse explained how the malware undermines SSL and attempts to bypass two-factor authentication required by many banks in Europe. "The traffic, when you browse the internet, is being controlled by the attackers. They use a MiTM (Man in The Middle) approach and thus are able to read anything, even SSL traffic in clear text. This way they will also try to circumvent two-factor authentication."

Though carrying similar functions to Zeus, Kruse believes it is not related to the better-known malware.

In its alert, Salesforce said the malware resides on an infected machine and is not a vulnerability in its software, nor has it found evidence that its customers have been impacted.

It issued the following advice:

  • Activate IP Range Restrictions to allow users to access salesforce.com only from your corporate network or VPN
  • Use SMS Identity Confirmation to add an extra layer of login protection when salesforce credentials are used from an unknown source
  • Implement Salesforce#, which provides an additional layer of security with two-step verification. The app is available via the iTunes App Store or via Google Play for Android devices.
  • Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network.

Read more on security