English
Français
Deutsch
Español
Italiano
Português
日本語
한국어
Русский
HomePhishing Campaign Exploited Salesforce Flaw to Attack Facebook Users
Home » Security Boulevard (Original) » Phishing Campaign Exploited Salesforce Flaw to Attack Facebook Users
Unknown bad actors ran a sophisticated phishing campaign that exploited a zero-day flaw in Salesforce’s email services, enabling the hackers to hide behind the cloud giant’s legitimacy while trying to steal information from Facebook accounts.
Leveraging a vulnerability Guardio Labs researchers dubbed “PhishForce,” the attackers created emails that appeared to come from Facebook parent company Meta and included the “@salesforce.com” domain, enabling them to sneak past traditional security protections like gateways and filters.
The Meta and Salesforce names give the message an air of trustworthiness, and the targeted user may be more likely to click on the email.
“So it’s a no-brainer why we’ve seen this email slipping through traditional anti-spam and anti-phishing mechanisms,” Guardio Labs researchers Oleg Zaytsev and Nati Tal wrote in a report. “It includes legit links (to facebook.com) and is sent from a legit email address of @salesforce.com, one of the world’s leading [customer relationship management] CRM providers.”
Email gateway services–like the Salesforce service abused in this campaign–regularly send out massive numbers of emails for everything from product pitches to advertisements. This helps threat actors who send out malicious emails through such legitimate services, giving them “not only volume but also access to the reputation of those gateways, usually getting their IPs and domains whitelisted in an organization or even network-wide,” the researchers wrote.
The phishing email that came into the target’s mailbox mentioned them by name, telling them that their Facebook account was being investigated due to “suspicions of engaging in impersonation” and embedded a blue box at the bottom of the page that the user could click on to “request a review.”
Doing so sent them to a landing page that is hosted as a game under Facebook’s apps platform and uses the domain apps.facebook.com. This is another step in convincing the user of the email’s legitimacy. It’s here that the attackers steal the Facebook account credentials and two-factor authentication (2FA) information.
Salesforce’s Email Gateway feature is part of its larger CRM system and enables customers to send out mass email notifications and messages. Before anything is sent, Salesforce has customers validate themselves by verifying an email address to ensure they own the domain name under which their mass messages are sent.
“Only clicking on the verification link sent to your desired email inbox will give the Salesforce backend the permission to configure outgoing emails accordingly,” Zaytsev and Tal wrote.
That said, the researchers initially were unable to discover how the hackers could get past security features that made it highly difficult to get the Salesforce email service to send a verification email. They found that the attackers were able to manipulate Salesforce’s Email-to-Case feature, which enterprises use to automatically convert inbound emails into actionable tickets for their support teams.
The researchers said it is a common feature used for inbound emails only, but somehow the hackers were able to send messages out using the exact address. They gained control of a Salesforce-generated email address by creating a new Email-to-Case flow and then verified it as an “Organization-Wide Email Address,” with Salesforce’s Mass Mailer Gateway using the address in the official outbound flow. The hackers then used that address to verify ownership of the domain name.
With the verification in hand, they could use the Salesforce email address to send out messages that bypassed other anti-phishing and anti-spam protections.
Saeed Abbasi, manager of vulnerability and threat research at cybersecurity company Qualys, told Security Boulevard that the attack “was not a simple email scam but a complex intertwining of vulnerabilities across multiple platforms and services.”
“The unusual aspects here are centered around the clever exploitation of known systems – Salesforce and Facebook – the chaining of different vulnerabilities to construct a more effective attack, and the need for constant vigilance and adaptability in cybersecurity measures to deal with such evolving threats,” Abbasi said. “This hack illustrates the continuing evolution of phishing techniques.”
After being notified by Guardio Labs of the exploit being used in the wild, Salesforce fixed the problem.
Meta also was notified. A problem there is that the company in 2020 retired the Facebook Web Games feature, yet the PhishForce hackers could still insert malicious content–including the phishing kit–directly into the platform.
Zaytsev and Tal said that according to Meta documents, “it is still possible to retain support for legacy games that were developed prior to the deprecation of this feature. Consequently, it appears that access to these accounts could prove valuable to malicious actors, thereby driving up the value of stolen accounts associated with gaming applications.”
Meta’s engineering and security teams removed the malicious accounts and told Salesforce they are running a root cause analysis to understand why the detections and mitigations they have in place for these kinds of attacks didn’t work.
The Guardio Labs researchers said the ability of hackers to exploit legitimate services like CRMs, marketing platforms and cloud-based workspaces to launch phishing and other attacks is a “significant security gap, where traditional methods often struggle to keep pace with the evolving and advanced techniques employed by threat actors.”
They put the onus on service providers to put measures in place–like enhanced verification processes and analyses to detect malicious activity–to stop bad actors from being able to abuse mail gateways.