In a recent cybersecurity discovery, Guardio Labs researchers have unveiled a highly sophisticated phishing campaign targeting Facebook users, exploiting a previously unknown vulnerability in Salesforce’s email services.
This exploit enables threat actors to craft deceptive phishing messages using Salesforce’s domain, while the messages appear to come from Meta. The attackers aim to trick recipients into clicking on a link by falsely claiming their Facebook accounts are under investigation due to suspected impersonation.
What makes this attack particularly insidious is its intricate design, which leverages both the Salesforce vulnerability and legacy peculiarities in Facebook’s Web Games platform. By sending emails from a seemingly legitimate “@salesforce.com” domain address and masking them as communications from Meta, the attackers strategically evade conventional anti-phishing and anti-spam detection mechanisms.
The phishing emails guide victims to a fraudulent landing page hosted under the Facebook apps platform, utilizing the domain apps.facebook[.]com. The ultimate goal is to capture victims’ account credentials and two-factor authentication codes. This innovative approach allows the phishing kit to circumvent security measures and gain access to sensitive user information undetected.
Guardio Labs revealed that the attackers exploited Salesforce’s email services’ zero-day vulnerability, thereby underlining the potential risks and challenges posed by seemingly legitimate services being exploited for malicious purposes.
