Cybersecurity researchers have discovered a phishing campaign that combines the zero-day vulnerability ‘PhishForce’ and misconfigurations in Facebook’s game platform to target select Facebook accounts. PhishForce is a flaw in Salesforce's email service, specifically its email-to-case feature, which allows users to convert incoming customer emails to support tickets for their helpdesk. The flaw allows hackers to create a new email address on the Salesforce domain, confirm its bogus ownership, then use the address to mass-send phishing emails bypassing Salesforce’s sender verification controls.
The use of a popular email gateway like Salesforce to send phishing emails reduces the chances of malicious emails getting caught in spam filters, thus increasing the number of phishing emails that will ultimately reach their intended victim.
The phishing emails are designed to appear as if they are coming from Facebook’s parent company Meta, advising the user that their account is currently under investigation due to suspicious activity. The recipient is invited to ‘request a review’ by clicking a button provided in the phishing email. Once clicked, the recipient is directed to a phishing website hosted on apps.facebook.com, further adding to the email’s perceived authenticity. The ultimate goal of the campaign is to option Facebook account credentials from the targets.
The phishing campaign and the PhishForce vulnerability were responsibly disclosed to Salesforce in June 2023 and fixed a month later. However, the problem found in Facebook's game platform is harder to solve. Facebook retired this specific platform in July 2020, therefore it should be impossible for hackers to create new game canvasses. The researchers suggest that hackers have overcome this obstacle by obtaining access to legacy accounts that still have access, likely via marketplaces on the dark web.
However, legacy accounts that used the platform before its deprecation still have access, and threat actors might be paying a premium for those accounts on the dark web. In the meantime, Meta has removed the malicious pages from the platform and has launched an investigation into why existing security controls failed to detect and stop the malicious activity.
Source: Bleeping Computer
Analysis
This campaign serves as a solid reminder that hackers are constantly seeking methods to improve the perceived legitimacy of their phishing emails to increase their chances of success. Threat actors are highly motivated to find and exploit flaws and misconfigurations in legitimate email service providers such as Salesforce, thus proactive bug hunting in these services is essential to staying one step ahead of hackers.
It's interesting that this campaign is reportedly designed only to obtain Facebook credentials. The threat actor could have used its PhishForce zero-day to mass-send phishing emails to thousands. Yet it chose to combine PhishForce with the Facebook gaming platform misconfigurations to obtain Facebook account credentials for specific users. This indicates that the threat actor is not financially motivated, but rather focused on obtaining information on select individuals, an activity normally conducted by law enforcement or intelligence agencies.
Mitigation
Field Effect recommends that users scrutinize every email they receive in their inbox, look for errors and inconsistencies, and double-check all claims made in those messages, even if speaking to the sender directly is required.
Covalence users can submit suspicious email messages to Field Effect’s Suspicious Email Analysis Service (SEAS) to have a cybersecurity expert evaluate the authenticity of the message.
References
