Attackers have recently been observed exploiting a zero-day vulnerability in Salesforce’s email and SMTP services as part of an elaborate phishing campaign aimed at stealing credentials from Facebook users. The cybercriminals behind this operation used targeted phishing emails with @salesforce.com addresses, exploiting a flaw in Salesforce’s email-validation system. This flaw allowed them to hide behind the trusted status of the Salesforce domain, bypassing email protections and deceiving recipients.
The phishing emails claimed to be from “Meta Platforms” and included legitimate links to the Facebook platform, enhancing their credibility. Guardio Labs’ researchers, Oleg Zaytsey and Nati Tal, noted that the email slipping through traditional anti-spam and anti-phishing mechanisms is not surprising. The email was sent from a legitimate @salesforce.com address and included genuine links to facebook.com, making it difficult to detect as a fraudulent message.
Upon opening the targeted phishing email, recipients were directed to a legitimate Facebook domain, apps.facebook.com. However, the content on this page had been altered to inform users that they had violated Facebook’s terms of service. A button on this page then led to a phishing page where users were prompted to enter their personal information, including their full name, account name, email address, phone number, and password.
Despite the attackers’ success in exploiting the Salesforce flaw, Salesforce assured Guardio that there was no evidence of customer data being impacted. The company promptly fixed the vulnerability to prevent further exploitation.
In parallel to the attack on Salesforce, the attackers also leveraged apps.facebook.com, which allowed them to create a Web app game with customized canvases. Although Facebook discontinued the ability to create legacy game canvases, existing games developed prior to this change were still accessible. The attackers took advantage of this and inserted malicious content into the Facebook platform. They created a phishing kit designed to specifically target Facebook accounts, even bypassing two-factor authentication mechanisms. Meta, the parent company of Facebook, quickly removed the malicious accounts and the web game once they became aware of the situation.
In response to these incidents, Meta’s engineering team is conducting a root cause analysis to understand why their detection and mitigation mechanisms failed to identify and prevent these attacks.
The prevalence of phishing attacks remains high, with threat actors continually finding new ways to exploit secure and legitimate services. These services, including CRMs like Salesforce and marketing platforms, can inadvertently become tools for malicious activities. Service providers must enhance their security measures to prevent such platforms from being abused in phishing scams. This requires strengthening verification processes to ensure the legitimacy of users and conducting ongoing analyses to promptly detect any misuse of the mail gateway.
The evolving and advanced techniques employed by threat actors highlight the need for constant vigilance and proactive security measures. By staying ahead of cybercriminals and closing security gaps, service providers can better protect users and prevent successful phishing attacks.