Dyreza trojan may pose a risk for Salesforce users
A warning has gone out to customers of Salesforce.com that the Dyreza trojan, previously targeted at banking sites, may be a risk to users of the CRM solution.
The malware uses social engineering techniques to get the victim to infect the system via email. Once installed it uses "browser hooking" to allow Dyreza to intercept content entered by the user into the web browser before that content is transmitted over the network to a web site. Critically this allows the interception to occur before the data is encrypted.
By siphoning off traffic in this way the attacker can access the victim's credentials including username, password and any additional two-factor authentication token values. The attacker can then use this information to impersonate a user and fraudulently access their account for Salesforce or any other SaaS services targeted by Dyreza.
Zulfikar Ramzan, the CTO of cloud security specialist Elastica, says in a blog post, "So far, none of Elastica's customers appears to have been impacted by this threat, but we are monitoring the situation closely. Elastica’s Detect, Protect, and Investigate applications all can provide protection capabilities against Dyreza and similar malware".
Salesforce itself offers additional means of protection such as IP address restrictions to ensure that access comes from within the corporate network or VPN. It also offers SAML (Security Assertion Markup Language) authentication to further secure access.
Because the trojan siphons off information before it reaches the legitimate servers, it's able to intercept two-factor authentication token values so the attackers can exploit them in real time. Customers therefore need to be alert to potential compromises.
Razman concludes, "As organizations house increasing volumes of sensitive data on SaaS applications like Salesforce, it is a certainty that attackers will find increasingly clever ways of going after this information. It is therefore important for customers to put multiple protection mechanisms in place and to have deeper visibility into how their SaaS applications are being accessed and used".