Dyreza malware descends on Salesforce

Read time 2min 30sec
Targeting Salesforce is new behaviour for the Dyreza malware, which typically targets financial institutions.
Targeting Salesforce is new behaviour for the Dyreza malware, which typically targets financial institutions.

Clients of customer relationship management solutions provider Salesforce are being targeted by the Dyreza malware (aka Dyre).

This particular malware strain has been seen targeting banks and falls into a class of man-in-the-middle trojans.

Zulfikar Ramzan, CTO at cloud security company Elastica, says targeting Salesforce is new behaviour for this malware, but there is no reason why it could not be readily adapted to target Salesforce, or any other SaaS application for that matter.

Currently, Salesforce customers number more than 100 000 organisations and millions of subscribers.

In a security alert, Salesforce says on 3 September 2014, one of its security partners identified that the Dyre malware, which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users.

"We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance," the company says.

Ramzan explains that the malware will typically infect a system via straightforward social engineering mechanisms. For example, he says, a victim will receive an e-mail containing a hyperlink with messaging that entices the victim to click on it. Upon doing so, the victim is presented with the Dyreza malware for download.

Once installed on the system, Ramzan adds, the Dyreza malware will, among other things, employ a technique known as browser hooking. Browser hooking allows Dyreza to intercept content entered by the user into the Web browser before that content is transmitted over the network to a Web site - and browser hooking, specifically, allows this interception to occur before the data is encrypted.

"More so, Dyreza will syphon the victim's traffic to a special server it controls rather than to the actual SaaS service, like Salesforce, with whom the user thought he was communicating. At this point, the attacker will have access to the victim's credentials - eg, their username, password and also any additional two-factor authentication token values."

According to Ramzan, the attacker can leverage this information to impersonate a user and fraudulently access their account for Salesforce or other SaaS services targeted by Dyreza.

As a first step, Salesforce recommends that users work with their IT security team to validate that their anti-malware solution is capable of detecting the Dyre malware.

"If you believe you have been impacted by this malware and would like assistance from, please open a security support case at, select 'security' as the product topic, and our team will work with you to investigate this issue," the company says.

Login with