Tag Archive for: Salesforce

Salesforce Zero-Day Exploited to Phish Facebook Credentials

/in


Attackers were recently spotted exploiting a zero-day flaw in Salesforce’s email and SMTP services in a sophisticated phishing campaign aimed at stealing credentials from Facebook users.

Guardio researchers detected cyberattackers sending targeted phishing emails with @salesforce.com addresses using the legitimate Salesforce infrastructure. An investigation revealed that they were able to exploit a Salesforce email-validation flaw to hide behind the domain’s trusted status with users and email protections alike.

The sender of the emails claimed to be “Meta Platforms,” and the messages included legitimate links to the Facebook platform, further bolstering legitimacy.

“It’s a no-brainer why we’ve seen this email slipping through traditional anti-spam and anti-phishing mechanisms,” Guardio Labs’ Oleg Zaytsey and Nati Tal noted in the post. “It includes legit links (to facebook.com) and is sent from a legit email address of @salesforce.com, one of the world’s leading CRM providers.”

The messages directed recipients via a button to a legitimate Facebook domain, apps.facebook.com, where content has been altered to inform them that they’d violated Facebook’s terms of service. From there, another button led to a phishing page that collected personal details, including full name, account name, email address, phone number, and password.

Nonetheless, “there is no evidence of impact to customer data,” Salesforce told Guardio. The flaw, meanwhile, has been fixed.

Abuse of Discontinued Facebook Games

On the Facebook side, attackers abused apps.facebook.com by creating a Web app game, which allows customized canvases. Facebook has discontinued the ability to create legacy game canvases, but existing games that were developed prior to the end of the feature were grandfathered in. It appears that malicious actors abused access to these accounts, the researchers said.

In doing this, they could “insert malicious domain content directly into the Facebook platform — presenting a phishing kit designed specifically to steal Facebook accounts including two-factor authentication (2FA) mechanism bypasses,” the researchers said, adding that Facebook parent Meta “quickly removed the…

Source…

Hackers exploit Salesforce email zero-day for Facebook phishing campaign

/in


The threat actors used a vulnerability named “PhishForce” to conceal malicious email traffic in Salesforce’s legitimate email gateway services, capitalising on Salesforce and Meta’s size and reputation.

The attackers managed to evade conventional detection methods by “leveraging Salesforce’s domain and reputation and exploiting legacy quirks in Facebook’s web games platform,” the researchers added.

Salesforce has around 150,000 clients, a significant number of which are small businesses. Security vulnerabilities like these could be especially detrimental to SMBs, up to and including the closure of their business, if hackers get access to their sensitive data.

The Email Gateway feature is an important part of the Salesforce CRM. It consists of specialised servers dedicated to efficiently sending a large volume of email notifications and messages to customers worldwide.

Customers using the Salesforce CRM can send emails under their own brand by using custom domains. However, to ensure security and prevent abuse, the system follows a process of validating the ownership of the domain name before allowing emails to be sent.

The validation step ensures that only legitimate and authorised users can use custom domains for sending emails through the Salesforce platform.

In this phishing campaign, however, the fraudulent email messages appeared to come from Meta, while actually being sent from an email address with a “@salesforce.com” domain.

The campaign’s primary objective is to trick recipients into clicking on a link by claiming their Facebook accounts are under investigation, due to alleged involvement in impersonation activities (oh, the irony).

Upon clicking the embedded button, the victim is redirected to a rogue landing page hosted and displayed as part of the Facebook gaming platform (“apps.facebook.com”).

This tactic adds further legitimacy to the attack, making it significantly more challenging for email recipients to discern the page’s fraudulent nature.

The landing page is designed to capture the victim’s account credentials, as well as any two-factor authentication (2FA) codes they might enter.

Swift response

Upon replicating the creation of a Salesforce-branded address…

Source…

The Center for Internet Security’s Risk Assessment Method | Salesforce

/in



Google, Salesforce were allegedly offered ‘TrapWire’ spy tool – ZDNet

/in

Google, Salesforce were allegedly offered 'TrapWire' spy tool
ZDNet
He also wrote that "the timing is right to revisit our relationship with Google and sense growing frustration (and chaos) on their part in light of the Chinese penetrations and intellectual property theft". "I've been playing constant phone tag with

and more »

Espionage China – read more