Salesforce.com is warning that malicious types are trying to attack customers with a remote access Trojan called Dyre that’s designed to slurp user’s login credentials.

The company has just issued an alert which states: “On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users.”

“We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance.”

Salesforce.com points out that the vulnerability isn’t really its fault. The malware doesn’t infect computers via a flaw in Salesforce’s software. Instead it uses a different route – usually a phishing attack. However, once the Trojan has infected a PC it is directed to siphon off data from Salesforce users, rerouting the data back to its master. Salesforce said the malware even steals SSL-encrypted data.

To avoid any unwanted data theft incidents, Salesforce is recommending users ensure the malware’s signature is added to their antivirus software. Furthermore, it says admins should restrict the range of IP addresses users can login to Salesforce.com from. It also recommends adding two-factor authentication if you want to be doubly, extra-safe from any attacks.

Users might recall a short outage affecting Salesforce.com on Friday, however the company says the malware was not a factor in this. Whatever did cause that incident has now been fixed and Salesforce’s status page shows that all instances are up and running as they should be.

What is interesting is why the attackers are so interested in stealing data from Salesforce’s customers. The company declined to speculate on this, but notes that until now Dyre has almost exclusively been used to attack the lucrative world of online banking.

One theory is that the attackers are using Dyre to try and carry out a CRM-specific attack. If that is the case, and if the attack succeeds, whichever company is being targeted would be in very ‘dire’ straits.

photo credit: pasukaru76 via photopin cc