clock menu more-arrow no yes mobile

Filed under: Warns of Malware Attacks

Keystroke-recording software may seek to steal your Salesforce login info.

Cloud software giant just warned its customers of a new software attack that may be targeting its users.

The malware is called Dyre — and sometimes also Dyreza — and it typically goes after customers of large financial institutions. Salesforce says it may now be used to attack users of its software, though it has no evidence that any of its customers have been affected yet.

According to this blog post by security researcher Jérôme Segura of Malwarebytes, the malware comes in the form of an email attachment and seeks to steal login credentials like user names and passwords by recording keystrokes.

That means that Salesforce itself is not vulnerable — there has been no hacking attack on its systems in this case. Instead, the attack is similar to someone trying to hijack your Gmail or Dropbox account.

Salesforce is recommending that IT departments require employees to log in via corporate VPNs and add two-factor authentication.

Its full statement on the situation is here, and also pasted in full below.

On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users. We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance.
This is not a vulnerability within Salesforce. It is malware that resides on infected computer systems and is designed to steal user log-in credentials and resides on infected customer systems. If you’d like to learn more about malware, please visit
As a first step, we recommend you work with your IT security team to validate that your anti-malware solution is capable of detecting the Dyre malware. If you believe you have been impacted by this malware and would like assistance from, please open a security support case at, selecting security as the product topic, and our team will work with you to investigate this issue. is dedicated to helping our customers strengthen security in their own environments. In addition to following device security best practices, we recommend you leverage the following security capabilities of the Salesforce Platform:
Activate IP Range Restrictions to allow users to access only from your corporate network or VPN
Use SMS Identity Confirmation to add an extra layer of login protection when salesforce credentials are used from an unknown source
Implement Salesforce#, which provides an additional layer of security with 2-step verification. The app is available via the iTunes App Store or via Google Play for Android devices.
Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network.
Please visit for the latest security information and best practices.
You can find more information about Dyre malware at

This article originally appeared on

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.