Cloud application security specialists have warned salesforce.com (SFDC) users of the vulnerabilities in the application. Cybercriminals exploit such vulnerabilities to harvest user credentials. Phishing attacks trick users into clicking a link which would appear to be leading to salesforce.com. It is difficult even for the spam filters and anti-phishing solutions to identify such links, let alone the user.
In 2007, an incident detected by an Atlanta based financial institution, revealed how a simple click on an email link compromised their entire SFDC organization. The action released a Trojan, resulting in the retrieval of SFDC passwords. Passwords retrieved by the cybercriminals were used to access information from thousands of undisclosed ADP and SFDC customers.
In 2014, Salesforce.com alerted its customers about the DYRE malware*, which usually targets customers of large financial institutions. Cybercriminals came up with a version that threatens salesforce.com users.
DYRE phish attacks usually consist of emails containing what looks like a genuine message from SFDC, with links or attachments as shown below. Such emails often employ scare tactics to get the users to download linked malware and/or execute the attachments.
Dyre sample emails
Source: spamstopshere & trendmicro
Links usually point to a Trojan attachment or URL, which if executed, will initiate a ‘Man-in-the-Middle’ attack, quietly gathering credentials and user data. Some versions disable Windows firewall registry entries.
Salesforce reacted by increasing mandatory security levels to all customer organizations, such as removing the capability of trusting any IP’s in your organization with a single IP Range entry.
IT admins seeking to trust any IP to their SFDC org, are forced to take responsibility for lowering SFDC org security by creating a minimum of 254 range entries. The admins are advised to trust incoming connections only from VPNs and corporate static IPs.
This measure is not enough to protect you. DYRE might enable a surreptitious download and installation of additional malware, such as VNC/remote management into the infected system, circumventing IP trust settings.
Analysis of the newest versions of DYRE and similar cyber-attacks (UPATRE, ZBOT, CRILOCK, and ROVNIX) reveals designs to defeat email blacklists and the best filtering products. Even the best known products may detect and block just 65% of these phishing attempts.
SFDC recommends the following initial steps to minimize phishing risk:
•Train your users to spot phish or spoofed emails
•Force shorter password expiration periods
•Enable SMS-text identity confirmation to allow SFDC logins from unknown locations
•Enable mobile 2-step identity verification
•Enable SAML authentication and require all authentication attempts to be sourced from your network, or your VPN
•Perform 3rd party security assessments and audits by trustworthy companies who are experienced in the field. (Preferably SFDC partners for your SFDC concerns)
It is crucial to detect such attacks and protect users, as the stolen credentials can be used to extract sensitive data which can go undetected for a long period of time.
* In June 2015, Trend Micro alerted of a 125% increase in DYRE-type attacks from Q4 2014 to Q1 2015.
