Print this page

Suspected Malware Impacting Salesforce Users (UPDATED)

Knowledge Article Number 000231277
Description Update: 02/04/2015 18:28 UTC
 

The Salesforce Trust team has identified additional details related to the malware that may be associated with this issue.

Based on our investigation, the following malware variants may be involved:

  • Pony: The initial downloader, usually delivered via phishing emails.
  • Vawtrak: Malware delivered by the Pony downloader and possibly used by the malware operator to log into Salesforce as the compromised user.
If you believe you may have been impacted by this issue, we recommend that you scan all end user systems with up-to-date antivirus signatures that can detect these malware variants and change the affected users’ passwords.

At Salesforce, trust is our #1 value and we take the protection of our customers' data very seriously. In December 2015, one of our security partners identified that the credentials of a small number of Salesforce users had been compromised when they logged into Salesforce from their computers which we suspect were infected with malware. Salesforce has continued to identify Salesforce users that have been compromised when they’ve used computers that were infected with malware to log into Salesforce.

The malware allows for unauthorized access to the customer’s Salesforce org, which may result in the exposure of customer contact data via exported reports. The exported reports generated by the malware operator generally contain information such as names, job titles, companies, contact details (emails / phones numbers) and location details. 

This is not a vulnerability within Salesforce. It is malware that resides on the affected users’ infected computer systems and is designed to obtain user log-in credentials. If you’d like to learn more about malware, please visit: http://www.onguardonline.gov/articles/0011-malware.

We have reached out to impacted customers with next steps and further guidance. We continue to monitor the situation and will reach out to impacted customers directly.
Resolution

Best Practices for Data Protection

Salesforce is dedicated to helping our customers strengthen security in their own environments, and we recommend you leverage the following security capabilities of the Salesforce Platform:

  • Activate IP Range Restrictions to allow users to access Salesforce only from your corporate network or VPN.

  • Use SMS Identity Confirmation to add an extra layer of login protection when Salesforce credentials are used from an unknown source.

  • Implement Salesforce Authenticator, which provides an additional layer of security with two-step verification. The app is available via the iTunes App Store or via Google Play for Android devices.

  • Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network.

 

Please visit www.trust.salesforce.com/trust/security/ for the latest security information and best practices.

 

If you believe you have been impacted by this malware and would like assistance from Salesforce, please open a security support case at https://help.salesforce.com, selecting security as the product topic, and our team will work with you to investigate this issue.

 

How can I get more information?

Please visit http://www.trust.salesforce.com/trust/practices/ for the latest security updates and best practices.


We appreciate your trust in us as we continue to make your success a top priority.

​*********


Original Article: 12/3/2015 19:09 pm UTC

At Salesforce, trust is our #1 value and we take the protection of our customers' data very seriously. On December 1, 2015, one of our security partners identified that the credentials of a small number of Salesforce users had been compromised when they logged into Salesforce from their computers which we suspect were infected with malware.

 

As a result, certain Salesforce data for these customers was exported by the malware operator and posted on a publicly-available server for a period of time. The exposed data was in the form of exported reports, which generally contain information such as names, job titles, companies, contact details (emails / phones numbers) and location details. The data is no longer hosted on this publicly-available server.

 

This is not a vulnerability within Salesforce. We suspect it was malware that resides on the affected users’ infected computer systems and is designed to obtain user log-in credentials. If you’d like to learn more about malware, please visit: http://www.onguardonline.gov/articles/0011-malware.

 

We have reached out to impacted customers with next steps and further guidance. We continue to monitor the situation and will reach out to impacted customers directly.

*********

 

12/7/2015 21:38 pm UTC Update

The Salesforce Trust team has identified additional details related to the malware that may be associated with this issue.

Based on our investigation, we believe that the following malware variants may be involved:

  • Pony: The initial downloader, usually delivered via phishing emails.

  • Vawtrak: Malware delivered by the Pony downloader and possibly used by the malware operator to log into Salesforce as the compromised user.

If you believe you may have been impacted by this issue, we recommend that you scan all end user systems with up-to-date antivirus signatures that can detect these malware variants.





promote demote