Hackers exploit Salesforce email zero-day for Facebook phishing campaign
Attacks stole 2FA codes, too
Guardio Labs researchers have uncovered a sophisticated phishing campaign that took advantage of a zero-day in Salesforce email services and SMTP servers, enabling malicious actors to specifically target Facebook users.
The threat actors used a vulnerability named "PhishForce" to conceal malicious email traffic in Salesforce's legitimate email gateway services, capitalising on Salesforce and Meta's size and reputation.
The attackers managed to evade conventional detection methods by "leveraging Salesforce's domain and reputation and exploiting legacy quirks in Facebook's web games platform," the researchers added.
Salesforce has around 150,000 clients, a significant number of which are small businesses. Security vulnerabilities like these could be especially detrimental to SMBs, up to and including the closure of their business, if hackers get access to their sensitive data.
The Email Gateway feature is an important part of the Salesforce CRM. It consists of specialised servers dedicated to efficiently sending a large volume of email notifications and messages to customers worldwide.
Customers using the Salesforce CRM can send emails under their own brand by using custom domains. However, to ensure security and prevent abuse, the system follows a process of validating the ownership of the domain name before allowing emails to be sent.
The validation step ensures that only legitimate and authorised users can use custom domains for sending emails through the Salesforce platform.
In this phishing campaign, however, the fraudulent email messages appeared to come from Meta, while actually being sent from an email address with a "@salesforce.com" domain.
The campaign's primary objective is to trick recipients into clicking on a link by claiming their Facebook accounts are under investigation, due to alleged involvement in impersonation activities (oh, the irony).
Upon clicking the embedded button, the victim is redirected to a rogue landing page hosted and displayed as part of the Facebook gaming platform ("apps.facebook.com").
This tactic adds further legitimacy to the attack, making it significantly more challenging for email recipients to discern the page's fraudulent nature.
The landing page is designed to capture the victim's account credentials, as well as any two-factor authentication (2FA) codes they might enter.
Swift response
Upon replicating the creation of a Salesforce-branded address capable of distributing phishing emails, Guardio Labs verified the issue and promptly notified the vendor about its discovery on 28th June.
In response, Salesforce addressed the zero-day vulnerability on the same day.
The company implemented new security checks that preventing the usage of email addresses from the "@salesforce.com" domain, thwarting potential abuse of their email services.
Meta vulnerability was a legacy loophole
The abuse of "apps.facebook.com" as a landing page is surprising, since Facebook had retired the Web Games feature in July 2020.
That should have made it impossible for the attackers to create a game canvas as the landing page for their phishing campaign.
But, according to Meta, it is still possible to retain support for legacy games that were developed before the deprecation of the Web Games feature in July 2020.
As a result, user accounts associated with these legacy gaming applications could hold significant value for malicious actors.
By gaining access to these accounts, attackers could exploit them in various ways, such as selling them on the black market, using them for fraudulent activities, or leveraging them in further phishing campaigns to target other users.
Upon receiving the report from Guardio Labs, Meta removed the violating pages.
Nevertheless, its engineers are currently investigating to understand why its existing security measures were ineffective in stopping the attacks.
Guardio Labs researchers emphasised the importance of service providers exercising extra vigilance and implementing rigorous measures to prevent such abuse in the future.
"Taking proactive steps to keep scammers away from secure and reputable mail gateways is of utmost importance," the researchers said.
"This includes bolstering verification processes to ensure the legitimacy of users, as well as conducting comprehensive ongoing activity analysis to promptly identify any misuse of the gateway, whether through excessive volume or through analysis of metadata such as mailing lists and content characteristics."