{"id":19177,"date":"2021-09-03T18:42:37","date_gmt":"2021-09-03T18:42:37","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=19177"},"modified":"2021-09-03T19:09:12","modified_gmt":"2021-09-03T19:09:12","slug":"salesforce-email-service-used-for-phishing-campaign","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/salesforce-email-service-used-for-phishing-campaign\/","title":{"rendered":"Salesforce Email Service Used for Phishing Campaign"},"content":{"rendered":"

Cybercriminals are using Salesforce\u2019s mass email service to dupe people into handing over credit card numbers, credentials and other personal information in a novel phishing<\/a> campaign that highlights the threats to corporate networks that can come from whitelisted<\/a> email addresses.<\/p>\n

According to a recent blog post<\/a> from email security service provider Perception Point, the bad actors are sending phishing emails via the Salesforce email service by impersonating the Israel Postal Service in a campaign that has targeted multiple Israeli organizations.<\/p>\n

In the blog post, Perception Point cybersecurity analysts Miri Slavoutsky and Shai Golderman\u00a0wrote that this is the first time they had seen attackers abuse Salesforce services for malicious purposes.<\/p>\n

\u201cMass Email gives users the option to send an individual, personalized email to each recipient, thus creating the perception of receiving a unique email, created especially for you,\u201d Slavoutsky and Golderman\u00a0wrote. \u201cSpoofing<\/a> attempts of Salesforce are nothing new to us. Attackers spoof emails from Salesforce for credential theft, is a typical example. In this case, the attackers actually purchased and abused the service; knowing that most companies use this service as part of their business, and therefore have it whitelisted and even allowed in their SPF records<\/a>.\u201d<\/p>\n

Whitelisting Increases Vulnerability<\/h2>\n

Therein lies a key issue raised by the phishing campaign. Most email security services are unable to detect attacks using Salesforce\u2019s legitimate platform because they \u201cblindly trust that Salesforce is a safe source,\u201d even to the point of whitelisting the service\u2019s IP addresses to streamline the email process, they wrote.<\/p>\n

\u201cWhile Salesforce\u2019s recommendation is to whitelist their entire IP range, this creates a vulnerability in your company\u2019s network,\u201d the Perception Point analysts wrote. \u201cCreating this type of whitelist is essentially ignoring the fact that the platform might be used for malicious purposes. By creating such a whitelist, one is basically creating a hole in one\u2019s organizational security that such emails can sail straight through.\u00a0When users receive such emails, they are unable to distinguish that the email was sent via a Mass Email platform.\u201d<\/p>\n

Shlomi Levin, Perception Point\u2019s co-founder and CTO, told eSecurity Planet<\/em> that given how whitelisting a trusted source can result in security breaches, \u201cit is essential to employ a zero-trust<\/a> attitude combined with a strong filtering mechanism to any content that enters the organization no matter the source: email, collaboration tools or Instant Messaging.\u201d<\/p>\n

Spoofing Salesforce<\/h2>\n

In this case, bad actors sent the victims email via the Salesforce email service purportedly from the Israeli Postal Service, telling the recipient that a package had been held up because the shipping fees hadn\u2019t been paid. The email was sent from what Perception Point said is the standard sender of all salesforce.com emails.<\/p>\n

The phishing email contains a link automatically redirecting the victim to a spoofed website of the Israeli Postal Service that prompts the user to enter credit card details. The user is then redirected to another page, which requires verification through an SMS code.<\/p>\n

The Perception Point analysts said the attackers made an effort to prove the legitimacy of the emails, an indication of how far they will go to convince victims to give up their information and how easy it is to do just that. Researchers found that the malicious server running the website was accessible without any authentication and was developed and hosted by LiteSpeed Web Server. In addition, the site has a certificate issued to it.<\/p>\n

\"Salesforce<\/p>\n

Use of Legitimate Email Services<\/h2>\n

The use of Salesforce\u2019s email service is akin to a phishing campaign run by Nobelium, the Russia-based cybercrime group (also known as APT29 and CozyBear) behind the high-profile SolarWinds supply chain breach<\/a>, according to Saumitra Das, CTO of cybersecurity firm Blue Hexagon. In the latest Nobelium phishing campaign<\/a> reported by Microsoft in May, the group used the legitimate Constant Contact email marketing service.<\/p>\n

\u201cThey leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to send phishing emails to more than 7,000 accounts across approximately 350 government organizations, IGOs and NGOs,\u201d Das told eSecurity Planet<\/em>.<\/p>\n

He said spoofing usually involves making up a source to look legitimate or using typosquatting.<\/p>\n

\u201cThere are ways to detect spoofing but in this case the emails look authentic and are also coming from where they say they are coming from,\u201d Das said, adding that in the case of the Salesforce example, \u201cthis means that attackers have got through the first email firewall both from a threat intelligence<\/a> signature perspective of blocking known bad sources and also in some sense the instinct of the user themselves to be suspicious of what something is. It is common for attacks to get through email security solutions, but then well-trained or savvy users are the next line of defense. This [use of a legitimate email service] increases the chances of those users also clicking on links or downloading attachments.\u201d<\/p>\n

A key difference is that unlike Nobelium with Constant Contact, the attackers using Salesforce\u2019s service didn\u2019t hack into the email system but instead signed up for the service, Stephen Banda, senior manager of security solutions at cybersecurity vendor Lookout, told eSecurity Planet<\/em>.<\/p>\n

\u201cThe practice of legitimately signing up for an email service with the full intention of using it for malice is an innovative strategy,\u201d Banda said. \u201cThis breach should be a warning to all service providers to conduct extensive due diligence into who is requesting access to their services so that this type of scam can be avoided in the future.\u201d<\/p>\n

Adopting Zero Trust is Key<\/h2>\n

The phishing strategy is another reason for adopting a zero-trust architecture<\/a>, which means assuming that an email from outside the organization is malicious until proven otherwise, according to Stefano De Blasi, cyber threat intelligence analyst with digital risk protection company Digital Shadows.<\/p>\n

\u201cAlthough more time-consuming than the traditional approach, zero-trust architecture can significantly reduce the potential impact of these malicious mass phishing campaigns and should always be considered the first option when possible,\u201d De Blasi told eSecurity Planet<\/em>.<\/p>\n

In addition, along with having in place such standard solutions such as secure email gateways, spam filters and phishing protection, organizations need to invest in security training<\/a> so employees are more educated of the threats that might come their way, Banda said, adding that phishing simulations are a way to provide training that gives people a safe real-world experience.<\/p>\n

\u201cOrganizations also need to have a mobile security solution in place that detects and blocks phishing attacks,\u201d he said. \u201cThe solution should also educate the users on phishing every time a link is detected. Over time, this will raise awareness so that users question even the most effective phishing attack.\u201d<\/p>\n

Further reading:<\/p>\n

How DMARC Can Protect Against Ransomware<\/a><\/p>\n

Best Zero Trust Security Solutions<\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n