As if the recent theft of Salesforce.com credentials were not enough, the Dyre Trojan is on another spree of attacking financial institutions and big companies by stealing their client certificate and browser cookies. At risk: legitimate users could lose their unique identity to attackers who might use those pieces of data to log in to online accounts as if they were legitimate owners of those accounts.
Adallom, a software security firm, has discovered this strain of the Dyre banking Trojan, which was also responsible for a recent hacking of Salesforce credentials. After a thorough analysis of Dyre’s activities, security researchers at Adallom concluded that the Trojan is targeting the configuration of the log-in forms of large banks and corporations.
A couple of days ago, Salesforce.com warned its customers of a very likely data breach of their accounts. The method used for spreading the Trojan is very familiar, yet many could find hard to distinguish: spam and phishing emails that contain links, which no doubt infect a computer once clicked. Another method through which hackers perpetrate their crime is by loading a generic module to copy POST data from a browser and transmit that data to their command and control server. Although hackers do not inject code through this method, they are able to send to the attacker large volumes of text data that includes credentials.
An attacker also directs traffic to his server through man-in-the-middle attack for URLs that are specifically on his target roster, and a browsersnapshot feature enables the stealing of cookies and client certificates and private Windows Certificate keys for the databases of Microsoft and Firefox. A target browser, for example, is maneuvered in order for the attacker to then inject code into a certain session. What is more dangerous is this kind of attack shuns detection by SSL protocol. You would not know what to do then.
It’s kind of weird, however, that hackers are using such malware functionality since client certificates are rarely used by banks. As to why attackers recently targeted Salesforce.com points to the fact that the website was potentially meant to be an attack vector. However it is hard to know what the hackers wanted to expose to the black market by attacking Salesforce.com.
Of course such data as email or any other services in the website are of no particular interest to them. In fact, no login details were discovered on a target list by hackers which they can attack by injecting certain configurations. Those targets include large banks in the UK. On the other hand, the Salesforce targeting code was found on a proxy server that attackers wield to attack websites according to an unknown criteria.