Hackers skilfully leveraged a zero-day vulnerability within Salesforce's email services and SMTP servers to execute a phishing campaign aimed at high-value Facebook accounts.
The attackers employed a flaw known as "PhishForce" to evade Salesforce's sender verification safeguards and utilised certain quirks in Facebook's web games platform, enabling them to send a large volume of phishing emails.
Using a trusted email gateway such as Salesforce to disseminate phishing emails offers the advantage of bypassing secure email gateways and filtering protocols. This ensures that the malicious emails successfully reach the target's inbox without being intercepted.
The issues uncovered in Facebook's game platform remain unresolved, leaving Meta's engineers puzzled as they attempt to understand why the current mitigations were unable to thwart the attacks.
PhishForce exploited
The Salesforce CRM enables customers to send emails using their custom domains, which must undergo verification by the platform. This essential feature safeguards customers by preventing the unauthorised use of Salesforce to send emails as other brands they are not permitted to impersonate.
The attackers managed to exploit Salesforce's "Email-to-Case" feature, commonly utilised by organisations to convert customer emails into actionable support tickets.
The attackers achieved this by configuring a new "Email-to-Case" flow, thereby gaining control over a Salesforce-generated email address. Subsequently, they established a new inbound email address under the "salesforce.com" domain.
Afterward, they designated that address as an "Organisation-Wide Email Address," which the Mass Mailer Gateway of Salesforce utilises for outbound emails. Lastly, they completed the verification process to validate their ownership of the domain.
By following this process, the attackers gained the ability to send messages using their Salesforce email address, effectively circumventing both Salesforce's verification safeguards and any other existing email filters and anti-phishing systems.
It has been observed in the wild where phishing emails have originated from "Meta Platforms" using the "case.salesforce.com" domain.
Upon clicking the embedded button, the victim is directed to a phishing page cleverly integrated into the Facebook gaming platform ("apps.facebook.com"). This integration enhances the attack's credibility, making it more challenging for the email recipients to discern the fraudulent nature of the page.
The objective of the phishing kit utilised in this campaign is to pilfer Facebook account credentials, going so far as to incorporate mechanisms for bypassing two-factor authentication.
Ongoing investigations
Acknowledging the vulnerability, Salesforce reproduced and successfully resolved the problem exactly one month later, on July 28, 2023.
Regarding the abuse of "apps.facebook.com," it’s been pointed out that creating the game canvass used as a landing page should be impossible since Facebook retired this platform in July 2020. However, legacy accounts that had used the platform before its deprecation still have access, and threat actors may be willing to pay a premium for those accounts on the dark web.
Upon receiving the report, Meta removed the violating pages. Nonetheless, Meta's engineers are continuing their investigation into why the existing protections failed to stop the attacks.
As phishing actors persistently explore potential abuse opportunities on legitimate service providers, new security gaps constantly emerge, posing severe risks to users. Therefore, it is crucial not to rely solely on email protection solutions. Instead, carefully scrutinise every email that lands in your inbox, searching for inconsistencies, and verifying the claims made in those messages. Vigilance remains essential to protect against phishing attempts and potential threats.
In conclusion
The recent phishing campaign exploiting Salesforce's vulnerabilities and abusing legacy Facebook accounts highlights the ever-evolving landscape of cyber threats. As threat actors continuously find ways to breach security defences, it becomes crucial for individuals and organisations to seek professional assistance to safeguard their digital assets.
A reputable cyber security company can play a pivotal role in mitigating such risks. Firstly, they can conduct comprehensive vulnerability assessments and penetration testing to identify potential weaknesses within an organisation's infrastructure. By replicating real-world attack scenarios, they can proactively address and remediate any vulnerabilities before malicious actors exploit them.
Secondly, a cyber security company can provide tailored solutions to reinforce email protection. They can deploy advanced threat detection systems, spam filters, and phishing awareness training for employees. Moreover, leveraging their expertise, they can advise on best practices to minimise the risk of phishing attacks and reinforce overall email security.
