Last week, SC Magazine reported that Salesforce customers are being specifically targeted by Dyre, a malicious exploit first uncovered in June that has previously been used to target customers of large financial institutions. Although no specific compromises have yet been reported, the bad guys have put substantial time and effort to creating a way to steal the credentials of Salesforce users. The full article can be found here.
Salesforce and security experts agree that the vulnerability is on the client side, not in Salesforce itself. The attack targets users through a phishing scam. The user opens the email and it downloads malicious code onto their machine. When they navigate to the Salesforce website, Dyre takes them to a lookalike page and captures the credentials by logging the keystrokes. Significantly, the attack circumvents 2FA checks by logging on when the user does and intercepting their one-time password.
No one is quite sure what the hackers want to do with stolen Salesforce credentials, but all data has a market value. In this case, the bad guys may have a customer who offered to pay for the stolen information. Ultimately, it doesn’t really matter.
What matters is that this is another instance in which hackers are exploiting the user’s faith that their browser is taking them where they tell it to go. In this case, as in many others, that just isn’t reliable. Let’s take a look at how Silo would stop this attack in its tracks.
First, if a user were browsing the Internet through Silo, the initial download simply would not happen. And if the user were to navigate to the lookalike page, Silo would recognize it as fake and not allow the credentials to be entered. Attack defeated.
But let’s say the user does mistakenly click the link that downloads the malware. It sits on their machine waiting for them to navigate to the Salesforce page so that it can redirect them to the lookalike page. If the user accesses Salesforce through Silo, any keylogging or redirecting that the exploit conducts is useless, since Silo connects and logs on only to known verified destination web apps. Attack defeated.
When it comes to phishing attacks like Dyre, we, as users, are our own worst enemy. Even the best educated and most skeptical users will type their credentials in the wrong places. It’s an inevitability. Silo can save us from the bad guys. And from ourselves.