Dyre steals users' names and passwords and is sophisticated enough to bypass two-factor authentication (2FA) checks.
It first appeared in June, attacking mainly UK customers of NatWest Bank, RBS, Ulster Bank, Citibank and Bank of America.
The latest move to target Salesforce's massive user base is described as “weird” by Danish security research firm CSIS, which was one of the first to spot the Trojan.
CSIS CTO Jan Kaastrup told SCMagazineUK.com it is likely that the gang behind Dyre have been deliberately asked by a ‘customer' to get Salesforce customer credentials.
Salesforce first alerted its users to the deliberately-targeted attacks in an advisory late last Friday. It said: “On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users.”
The company added: “We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation.”
CSIS has confirmed: “We can document that Salesforce is being targeted.”
Headquartered in San Francisco, Salesforce is a US$ 5 billion (£3 billion) turnover company providing cloud-based CRM and other software. It does not publish customer numbers but industry watchers estimate around 160,000 organisations use Salesforce and that it has over five million subscribers.
A Salesforce spokesperson declined to give any more information than the official advisory, telling SC: “The trust of our customers is our top priority. I would recommend that customers who have any issues - there's a trust.salesforce.com website for any details on this.”
Dyre was first spotted in mid-June almost simultaneously by CSIS and researchers at PhishMe. PhishMe called it “a new strain of malware unseen in the industry until now”.
Jan Kaastrup at CSIS said the latest manifestation shows the criminals behind Dyre are expanding its reach.
“It has evolved and we have seen multiple malware campaigns running,” Kaastrup told SC. “It's still being distributed using email techniques but the back-end infrastructure has expanded.”
In the latest attack, the malware sends customers to a lookalike of the official Salesforce site. It uses keylogging to capture the user's name and password, and can also circumvent 2FA checks by simultaneously logging in when the user does and intercepting their one-time password (OTP).
Kaastrup commented: “The way Salesforce is being targeted is actually very weird. Normally it has only been banks. They have made up a phishing site for Salesforce. They are going direct for Salesforce customers. Now why would they do that?
“In theory, all user credentials have a value on the black market. This indicates that Dyreza is growing, and probably they have a customer who has said ‘we would really like Salesforce' and they put it in.”
He added: “When the user tries to go on the Salesforce website, Dyreza will intercept that communication and forward the request to the phishing site. So the user name and password is submitted to the phishing site which is owned by the Dyreza guys, and they will have stolen the credentials of Salesforce, and the user will not even be notified.”
Salesforce's 5 September advisory says: “If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance.
“This is not a vulnerability within Salesforce. As a first step, we recommend you work with your IT security team to validate that your anti-malware solution is capable of detecting the Dyre malware.
“If you believe you have been impacted by this malware and would like assistance from salesforce.com, please open a security support case at https://help.salesforce.com, selecting security as the product topic, and our team will work with you to investigate this issue.”