Dyre, also known as Dyreza and Dyranges by Symantec, is a malware notorious for pursuing banking credentials. Dyre is focused mainly on the customers of Bank of America and Citibank, RBS and Natwest in the UK, and Ulster Bank in Ireland. Recently it became clear that it is also menace for the Salesforce customers.
How Does Dyre Enter the User’s Computer?
The stealer of banking passwords was picked up by the malware researches, when they discovered that it could undermine SSL which protects the HTTPS sessions. It also tries to circumvent the special two factor authentication that is required by most of the European banks.
The malware experts say that the traffic is controlled by the attackers through the ‘Man in The Middle’ approach, and they get the option to read everything including the SSL traffic. In this way, Dyre can steal the credentials for many banks.
The net targets in UK were lured by fake invoice emails or phishing emails into clicking on links with malware. These links lead the victims to payroll data from the UK based software vendor Sage. In the United States, the victims received phishing emails disguised as rejected federal tax payment notifications or through messages pretending to be faxes from Epson.
How Does Dyre Affect the User’s Computer?
Dyre is a malware that resides on the infected computer, however, it is not a danger for its software. The victim does not even get evidence that they are under its impact. The cyber criminals confirm that Dyre works with the browser hooking technique for Chrome, Firefox and Internet Explorer. This means that the malware collects data when the infected user makes a connection to a website that is specified in this malware.
Dyre: How to Reduce the Risk of Infection
Dyre is similar in function to Zeus, however the malware analysts think that it is not related to this malware. There is a way in which the users can reduce the risk of infection. They should do the following:
- IP Range Restrictions must be active so the users are allowed to access salesforce.com only from your corporate network or VPN
- Use SMS Identity Confirmation to ensure the login protection in cases when salesforce credentials are applied from an unidentified source.
- Use Salesforce#, which provides an extra two-step verification layer of security.
- Leverage SAML authentication capabilities to require that each authentication attempt is sourced from user’s network.