iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Security researchers have uncovered an active phishing campaign combining flaws in both Salesforce and Facebook to create a very convincing lure.
Both parties have been informed of the flaws and have taken action to fix the issues, but researchers at Guardio were nonetheless impressed at the scheme’s sophistication.
“As part of our email protection research, our research team here at Guardio Labs analysed one such example lately, presenting quite a sophisticated Facebook phishing scheme,” Guardio’s team wrote in a blog post. “We’ve seen other variants of that phishing pages and directing emails in the past, yet something else triggered our attention while observing the mail metadata.”
What caught their attention was the fact that the phishing email addressed the victim by name, appeared to be from Meta Platforms, and came from a legitimate Salesforce email address. Even more convincing was the use of another seemingly legitimate Facebook support page hosted on apps.facebook.com.
Taken together, this campaign’s tactics meant the email was easily able to slip past both anti-spam and anti-phishing filters.
The campaign also relied upon calling for urgent action on behalf of the victim, claiming that their Facebook account had been flagged as breaching content standards and would require a review. The review button then sends the user to the aforementioned Facebook support page, which asks the victim to “open a new case” – which, of course, then supplies the threat actor with the victim’s account details.
The threat actors were able to take advantage of a “vulnerable flow” in SalesForce’s email verification system that allowed them to eventually use the company’s ticketing system to create a valid verification link that could, in turn, be copied to create a seemingly legitimate email coming from SalesForce.
“From here, you just go on and create any kind of phishing scheme, even targeting Salesforce customers directly with these kinds of emails,” Guardio said. SalesForce was informed of the issue on 28 June 2023, and the flaw was fixed within a month.
“At Salesforce, trust is our number one value, and security is our top priority,” Salesforce said in response to the disclosure. “We value the contributions of the security research community to help enhance our security efforts, and we are grateful to Guardio Labs for their responsible disclosure of this issue.”
The Facebook angle takes advantage of a legacy system regarding older Facebook games that were retired in 2020. However, developers of games created prior to that date could still access their older pages, making them “valuable to malicious actors”, according to Guardio.
The fake Facebook support page even shows that it’s hosted by a soccer management game, though it is small detail in the sidebar of the page, and easy to miss – especially if you’re convinced you need to act fast to save your Facebook account.
“We’re doing a root cause analysis to see why our detections and mitigations for these sorts of attacks didn’t work,” Meta’s engineering team said in response to Guardio reporting the bug. The malicious pages linked to the phishing campaign have been removed.
“A concerning aspect of this ongoing battle [against phishing operators] is the exploitation of seemingly legitimate services, such as CRMs, marketing platforms, and cloud-based workspaces, to carry out malicious activities,” Guardio said in conclusion.
“This represents a significant security gap, where traditional methods often struggle to keep pace with the evolving and advanced techniques employed by threat actors.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
