Home > Cyber News > Dyre Malware Focuses on Salesforce Credentials

Dyre Malware Focuses on Salesforce Credentials

Dyre, also known as Dyreza and Dyranges by Symantec, is a malware notorious for pursuing banking credentials. Dyre is focused mainly on the customers of Bank of America and Citibank, RBS and Natwest in the UK, and Ulster Bank in Ireland. Recently it became clear that it is also menace for the Salesforce customers.

How Does Dyre Enter the User’s Computer?

The stealer of banking passwords was picked up by the malware researches, when they discovered that it could undermine SSL which protects the HTTPS sessions. It also tries to circumvent the special two factor authentication that is required by most of the European banks.

The malware experts say that the traffic is controlled by the attackers through the ‘Man in The Middle’ approach, and they get the option to read everything including the SSL traffic. In this way, Dyre can steal the credentials for many banks.

The net targets in UK were lured by fake invoice emails or phishing emails into clicking on links with malware. These links lead the victims to payroll data from the UK based software vendor Sage. In the United States, the victims received phishing emails disguised as rejected federal tax payment notifications or through messages pretending to be faxes from Epson.

How Does Dyre Affect the User’s Computer?

Dyre is a malware that resides on the infected computer, however, it is not a danger for its software. The victim does not even get evidence that they are under its impact. The cyber criminals confirm that Dyre works with the browser hooking technique for Chrome, Firefox and Internet Explorer. This means that the malware collects data when the infected user makes a connection to a website that is specified in this malware.

Dyre: How to Reduce the Risk of Infection

Dyre is similar in function to Zeus, however the malware analysts think that it is not related to this malware. There is a way in which the users can reduce the risk of infection. They should do the following:

  • IP Range Restrictions must be active so the users are allowed to access salesforce.com only from your corporate network or VPN
  • Use SMS Identity Confirmation to ensure the login protection in cases when salesforce credentials are applied from an unidentified source.
  • Use Salesforce#, which provides an extra two-step verification layer of security.
  • Leverage SAML authentication capabilities to require that each authentication attempt is sourced from user’s network.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share