Emails have long been an integral part of our daily lives, serving as a primary means of communication for both personal and professional purposes. With the convenience of instant messaging and file attachments, emails enable seamless information exchange across the globe. However, they also take center stage in our endless battle against spam and phishing attempts that try and steal our sensitive information and threaten our safety.
In the US alone, there were more than 300,500 phishing attempts in 2022, resulting in a loss of 52 million dollars. With stats like that, you’re bound to be affected by these scams, or at least encounter one in your inbox.
Imagine receiving an email from Facebook (Meta) warning that your account is under investigation for suspicious activity. if you relied on Facebook for business purposes like advertising, and sales, or to connect with loved ones, I’m sure you’d be concerned. Luckily an email just like that landed in the inbox of one of Guardio’s data scientists. Having worked in cyber security for a few years now, this wasn’t their first rodeo. Armed with caution, and a dash of skepticism they read the email, grinned, and forwarded it to our research department AKA Guardio Labs. Little did they know that this email was only the tip of the iceberg, leading to a comprehensive investigation into a sophisticated phishing scam.
The internet has been plagued with harmful emails since its inception, ranging from annoying spam and marketing ads to well-crafted phishing attempts. Thankfully we have a full team working till the wee hours of the night to protect our users from these cyber attacks. The Guardio Labs Team is the research department at Guardio. They’re the ones that identify and track criminals and their scams. They basically go to the darkest online places to keep us all safe.
While the team has seen thousands of phishing attempts, when they received the email (video below), they immediately noticed something that made it stand out from other phishy emails (pun intended). The URL (email address) makes it seem like the email is coming from Meta via Salesforce - both legit sources. Looking at the email more closely, they discovered that Hackers ingeniously exploited a weakness in Salesforce's email system and combined it with bugs in one of Facebook’s web game platforms (a flawed outdated app).
In other words, the hackers utilized Facebook and Salesforce’s platforms to bypass security gateways and go under the radar of email spam filters - in order to send targeted phishing emails. By bypassing the spam filters, the emails get into your inbox and because they look like they’re coming from Facebook via Salesforce, you’re more likely to fall for the scam. Even though we’d like to think that Guardio’s data scientist is special - in all reality, these types of emails were probably sent to hundreds if not thousands, of unsuspecting people.
Despite improved email spam detection, filters, and blockers, cybercriminals continuously find ways to outsmart the system. A common technique they use is to hide fraudulent emails among a large number of legitimate ones sent by trusted gateway services - that are meant to protect your inbox.
Trusted gateway services - Filtering emails in real-time
An email gateway service is a middleman that helps emails go from sender to receiver smoothly and safely. It filters out spam and checks if emails are legitimate, protecting users from scams and phishing attempts. Gateways utilize something called a Simple Mail Transport Protocol (SMTP), which is an internet standard used to send, receive and relay email messages. They handle everything from ads and newsletters to software updates. It's like a traffic controller for emails, making sure they reach the right destination securely. Here’s a simple way to make sense of it all.
Let’s say you’re flying to Hawaii for your honeymoon - exciting right? You head to the airport, check in for the flight, pass security, board the plane, and you're on your way. In this analogy, you’re the email, and the check-in desk and airport security are the gateway and SMTP. Because you brought your passport, got to the airport on time, and passed security you were allowed to board the plane. If you wouldn’t have passed security (the gateway), you would have been sent to the spam folder (or the email would have). In other words, gateways are basically there to make sure only emails that are considered legitimate get to your inbox. Make sense, right?
Salesforce's email gateway
Email gateways are an important part of Salesforce’s customer relationship management (CRM) system, as they filter lots of emails to customers worldwide. Before sending an email, Salesforce checks if the domain name matches the sender's name, to verify that the email is legit. Sadly, if gateways fall into the wrong hands, they can be used for malicious purposes. Hackers can use gateways to benefit from the source's good reputation, in our case, Facebook and Salesforce, and access a large volume of emails. This often allows them to bypass security measures like IP and domain whitelisting in organizations and networks.
Guardio Labs has researched thousands of phishing attempts, so when this email landed on their lap, they immediately noticed the bad grammar, unusual request and recognized it as a scam. Despite being familiar with phishing pages, emails, and sophisticated scams, there was something different about this one that triggered their attention.
The email is a well-created phishing email that mentions Guardio’s data scientist's real name and seems to be mailed from “Meta Platforms”. OK, very sophisticated, but they’ve seen that before. What really got the Labs team excited is that they uncovered that the cybercriminals actually used the Salesforce gateway to bypass spam filters. Wow, that’s very clever and sneaky! Imagine if cybercriminals would only use their powers for good... But that’s not the end of it, If you click the blue button “Request a Review” you’re navigated to a page where you need to add personal details. It looks completely legit and even has a Facebook URL.
Get this - the fake page is hosted under the Facebook apps platform, using the domain apps.facebook.com disguised as a game. This is yet another interesting piece of the puzzle that gives the page the appearance as if it’s a real “Meta Support” page, and an actual part of your real Facebook account. However, if you dig deeper, you'll find that it's underneath a fake game called “Football Soccer Manager”.
The email includes real links (to facebook.com) and is sent from a legit @salesforce.com email address, one of the worlds leading customer relationship management (CRM) providers. So it’s clear to see how the email slipped through traditional anti-spam and anti-phishing radars. Scary, right?
Stop phishing emails before they reach your inbox with Guardio’s Email Protection
The Guardio Labs Team works closely with other security teams like Salesforce’s to ensure a safe and secure internet experience for everyone. Partnerships like that play a pivotal role in enhancing the overall safety of the internet, making it increasingly difficult for cybercriminals to operate. So after realizing the extent of this phishing attempt Guardio Labs immediately contacted Salesforce to officially disclose the issue. Thankfully the security response team at Salesforce acted fast and as of July 28, 2023, the vulnerability was resolved and a fix was deployed affecting all Salesforce services and instances.
Emails and text messages that contain phishing attempts are disguised to look like they’re from a company or person who you know and trust, such as a bank, credit card company, or in this case social media sites, and CRM’s. Usually, the phishing scam begins with a story intended to manipulate you into clicking a link or opening a malicious attachment. They may:
Mention that there’s an issue with your account.
Tell you that you’ve violated copyright laws or the site's rules.
Offer free coupons or product giveaways.
Ask you to confirm your account information.
Make a claim that your payment information was incorrect.
Say that they’ve noticed suspicious activity or attempts to log in.
Phishing attempts are getting more and more sophisticated, and we haven’t even talked about how cybercriminals are utilizing AI (we’ll save that for later). In times like these, it’s important to keep your guard (io) up and always be cautious online. Having an online security tool like Guardio can protect you from phishing attacks and give you peace of mind whenever you're on the web.
Guardio protects you from malicious emails that get past your spam filter by:
Recognizing senders who have a bad reputation.
Maintaining a constant inbox overview for new threats and phishing emails.
Checking whether emails contain dangerous links.
Notifying you in real-time if a malicious email bypasses your spam filter.
Detecting malicious emails that pose a risk to your personal information.
With Guardio, you can avoid falling victim to phishing attacks or accidentally downloading malware.
Stop phishing emails before they reach your inbox with Guardio’s Email Protection
Guardio Labs' expertise in identifying and thwarting sophisticated phishing attempts has been instrumental in uncovering scams. The collaboration between Guardio and Salesforce's security team resulted in the prompt resolution of the vulnerability, enhancing internet safety for all users.
But in all reality, phishing attacks and scams are still widespread, with millions of them reported every year. Unfortunately, phishing emails are getting more sophisticated, and it’s like a game of whack-a-mole, where as soon as one scam is discovered, ten more pop up. That’s why you need to always be cautious when receiving emails and clicking links.
To stay safe from phishing attempts, it's essential to remain cautious and spot the telltale signs of phishing emails. Utilizing reliable email protection solutions, like Guardio, can help detect and block malicious emails that bypass traditional spam filters. By staying informed and taking proactive measures, you can protect yourself from falling victim to phishing attacks and maintain a secure online experience.
Our appreciation goes out to Salesforce and Meta for their quick response and their ongoing efforts to improve their platforms' security and resilience against scammers. Check out the full Read Guardio Labs report to learn more.
Disclaimer from Salesforce: "At Salesforce, trust is our #1 value, and security is our top priority. We value the contributions of the security research community to help enhance our security efforts, and we are grateful to Guardio Labs for their responsible disclosure of this issue. Our team has resolved the issue, and at this time there is no evidence of impact to customer data. We continually encourage researchers to share their findings with our team at firstname.lastname@example.org." (Salesforce)
Comments from Meta: “We’re doing a root cause analysis to see why our detections and mitigations for these sorts of attacks didn’t work” (Meta’s Engineering)