RBS among the Salesforce users targeted by 'Dyre' malware

Gang behind the Dyre Trojan believed to have been commissioned to target Salesforce users

Users of Salesforce are being targeted by malware dubbed Dyreza or Dyre by anti-virus software specialists. The malware is sophisticated enough to be able to bypass the two-factor authentication deployed by many users to guard against such attacks.

The malware first appeared in June, targeting users at major banks, including the Royal Bank of Scotland group (RBS, NatWest and Ulster Bank), as well as US banks Citibank and Bank of America.

The nature of the attacks was described as "weird" by Danish security research company CSIS, which was among the first groups to identify the Trojan. Its chief technology officer Jan Kaastrup told SC Magazine that the gang behind the attack was likely commissioned by a customer to harvest Salesforce credentials - or more information about the banks' customers.

"The way Salesforce is being targeted is actually very weird. Normally it has only been banks. They have made up a phishing site for Salesforce. They are going direct for Salesforce customers. Now why would they do that?

"In theory, all user credentials have a value on the black market. This indicates that Dyreza is growing, and probably they have a customer who has said ‘we would really like Salesforce' and they put it in," said Kaastrup.

Although the Trojan first appeared in June, Salesforce only notified customers on Friday, with the following advisory: "On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users."

Salesforce was quick to assert that none of its customers had been affected.

Dyre was first identified in mid-June by CSIS and PhishMe. PhishMe called it "a new strain of malware unseen in the industry until now".

Kaastrup told SC Magazine the latest version of the Trojan indicates that the gang responsible for Dyre is trying to expand its reach. "It has evolved and we have seen multiple malware campaigns running," Kaastrup said. "It's still being distributed using email techniques but the back-end infrastructure has expanded."

In the latest campaign, the malware sends users to a rip-off of the Salesforce site. It uses key-stroke logging to capture user names and passwords, and can circumvent two-factor authentication by simultaneously logging in when the user does and intercepting their one-time password (OTP).