5 Things Salesforce Users Should Know About Malware Attack

The malware is coming! The malware is coming!

Yep, it's a dreaded reality of life in the software industry. Technology does cool things for us, but it can bite us at any minute.

We reported this week that CRM giant Salesforce warned its users they could be targeted by a malware attack that usually hits customers of large, well-known financial institutions. Salesforce released a statement Sept. 3 that one of its security partners concluded that the Dyre malware (also known as Dyreza) "may now also target some Salesforce users."

The questions now are: What can Salesforce users do, and what should they know? CMSWire caught up with Zulfikar Ramzan, chief technology officer for San Jose, Calif.-based Elastica, to discuss.

Valuable Data

So why target Salesforce in the first place? Of course, there's a wealth of data -- data that can be used in the stock market, for starters.

"You can get lists of customers and prospects, which might be of use to customers," Ramzan said. "Moreover, you can generate financial forecasts, which may help predict a company's revenue before that information is public. This knowledge could prove materially useful in predicting a company's stock price."

Has Salesforce been targeted a lot recently?

There were reports earlier this year of a variant of the Zeus malware exhibiting similar behavior on Salesforce, according to Ramzan.

"That said," he added, "these threats do not appear to be widely spread. What concerns me, more fundamentally, is that highly specific threats can easily fall below the radar for many. As a result, it will be a while before they are noticed and acted upon."

Salesforce Acted Quickly 


In terms of security response, Salesforce did not drop the proverbial security ball on this one, Ramzan believes.

"From my vantage point, Salesforce handled the situation exceptionally well," Ramzan said. "They proactively sent out a communication to their customers -- even before any observed use of the malware to pilfer customer data."

Ramzan said he expects Salesforce to be monitoring the situation closely and determining if this threat, or one similar to it, will target actual customer data in the near future.

Reached by CMSWire this week, a Salesforce representative issued a statement, saying, "At salesforce.com, trust is our No. 1 value and we take the protection of our customers' data very seriously. Please visit trust.salesforce.com for information."

Security Hole?

The first thing many probably wonder when potential malware attacks arise? My provider has security flaws. But here, with Salesforce, Ramzan said this is "not necessarily" the case.

"The core issue here is that the end user system was compromised and used as a conduit," he said. "SaaS application vendors, in general, focus on protecting against attacks on their back-office infrastructure -- what I often term back-door attacks. SaaS vendors generally tend to assume that front-door attacks, like phishing or malware related compromises, are out of scope for them."

Salesforce and other SaaS vendors could put some mechanisms in place to monitor usage and identify fraudulent activity, Ramzan added, "but doing so is not really their bailiwick." 

User Recommendations

Salesforce users should configure their system in such a way that Salesforce only accepts connections coming from a corporate network or VPN, Ramzan said. Doing so, he said, makes it harder for a rogue entity to steal passwords and use them elsewhere.

"Another action would be to enabled two-factor authentication," he said. "While doing so might not entirely prevent the fallout from issues like Dyreza, it can potentially raise the bar for attackers because it requires them to leverage passwords in real time. In this case passwords cannot be resold in the underground markets, which changes the fundamental economics of credential theft and might deter some would be attackers."

Title image by hxdbzxy / Shutterstock.