In Novel Attack Technique, Salesforce Email Service Used For Phishing Campaign (esecurityplanet.com) 21
Slashdot reader storagedude writes: In a novel attack technique, Israeli security researchers discovered that cybercriminals were subscribing to Salesforce in order to use its email service to launch a phishing campaign and thus bypass corporate security defenses like whitelisting.
The researchers, from email security service provider Perception Point, said bad actors are sending phishing emails via the Salesforce email service by impersonating the Israel Postal Service in a campaign that has targeted multiple Israeli organizations.
In a blog post, security analysts Miri Slavoutsky and Shai Golderman wrote that this is the first time they had seen attackers abuse Salesforce services for malicious purposes.
"Mass Email gives users the option to send an individual, personalized email to each recipient, thus creating the perception of receiving a unique email, created especially for you," Slavoutsky and Golderman wrote. "Spoofing attempts of Salesforce are nothing new to us. Attackers spoof emails from Salesforce for credential theft, is a typical example. In this case, the attackers actually purchased and abused the service; knowing that most companies use this service as part of their business, and therefore have it whitelisted and even allowed in their SPF records."
Shlomi Levin, Perception Point's co-founder and CTO, told eSecurity Planet that given how whitelisting a trusted source can result in security breaches, "it is essential to employ a zero-trust attitude combined with a strong filtering mechanism to any content that enters the organization no matter the source: email, collaboration tools or Instant Messaging."
Stephen Banda, senior manager of security solutions at cybersecurity vendor Lookout, agreed with the researchers that it's a new approach by malicious actors.
"The practice of legitimately signing up for an email service with the full intention of using it for malice is an innovative strategy," Banda said. "This breach should be a warning to all service providers to conduct extensive due diligence into who is requesting access to their services so that this type of scam can be avoided in the future."
"There are ways to detect spoofing but in this case the emails look authentic and are also coming from where they say they are coming from," said Saumitra Das, CTO of cybersecurity firm Blue Hexagon. "This means that attackers have got through the first email firewall both from a threat intelligence signature perspective of blocking known bad sources and also in some sense the instinct of the user themselves to be suspicious of what something is. It is common for attacks to get through email security solutions, but then well-trained or savvy users are the next line of defense. This [use of a legitimate email service] increases the chances of those users also clicking on links or downloading attachments."
The researchers, from email security service provider Perception Point, said bad actors are sending phishing emails via the Salesforce email service by impersonating the Israel Postal Service in a campaign that has targeted multiple Israeli organizations.
In a blog post, security analysts Miri Slavoutsky and Shai Golderman wrote that this is the first time they had seen attackers abuse Salesforce services for malicious purposes.
"Mass Email gives users the option to send an individual, personalized email to each recipient, thus creating the perception of receiving a unique email, created especially for you," Slavoutsky and Golderman wrote. "Spoofing attempts of Salesforce are nothing new to us. Attackers spoof emails from Salesforce for credential theft, is a typical example. In this case, the attackers actually purchased and abused the service; knowing that most companies use this service as part of their business, and therefore have it whitelisted and even allowed in their SPF records."
Shlomi Levin, Perception Point's co-founder and CTO, told eSecurity Planet that given how whitelisting a trusted source can result in security breaches, "it is essential to employ a zero-trust attitude combined with a strong filtering mechanism to any content that enters the organization no matter the source: email, collaboration tools or Instant Messaging."
Stephen Banda, senior manager of security solutions at cybersecurity vendor Lookout, agreed with the researchers that it's a new approach by malicious actors.
"The practice of legitimately signing up for an email service with the full intention of using it for malice is an innovative strategy," Banda said. "This breach should be a warning to all service providers to conduct extensive due diligence into who is requesting access to their services so that this type of scam can be avoided in the future."
"There are ways to detect spoofing but in this case the emails look authentic and are also coming from where they say they are coming from," said Saumitra Das, CTO of cybersecurity firm Blue Hexagon. "This means that attackers have got through the first email firewall both from a threat intelligence signature perspective of blocking known bad sources and also in some sense the instinct of the user themselves to be suspicious of what something is. It is common for attacks to get through email security solutions, but then well-trained or savvy users are the next line of defense. This [use of a legitimate email service] increases the chances of those users also clicking on links or downloading attachments."
Novel in what way? (Score:5, Interesting)
A lot of phishing emails come in via "legitimate" services. Office365 is a big source. Compromise one account, and you can even get access to corporate sharepoint resources, and put your malware on them.
This must be "novel" in that the researchers found it happening on Salesforce, and a lot of corporations stupidly give the domain a pass.
Re: (Score:1)
You become obsessed by these things precisely because you never get out. ;)
And by doing so, you make sure it stays that way.
Every geek and nerd on this site should know that from himself.
Re: (Score:2)
Also, isn't phishing attacks (for "sales" and "ads" aka legalized scams) the whole point of Salesforce?
They used a hammer to put in a nail. But it's a novel tool because that nail was not meant to be put in?
Re: (Score:3)
No one is going to put an Office365 outgoing mail server on their block list. However they will block your personal mailserver running on a Linode VPS, even though it is sending a very small number of emails.
We are seeing the results of effectively centralizing many services on the Internet.
After that Signal "hack" gaffe... (Score:1)
... I'm associating "Israeli security firm" with the words "joke" and "scam". :)
So let's first check, before we take this seriously.
SpammerForce ? Block on sight. (Score:2)
Salesforce errr SpammerForce is a spam for hire outfit. I've seen nothing but bullshit from them to both my work email, and my personal accounts. I've firewalled them completely on my personal mail server, and I'm working with the mail admin of my work account to do the same.
Hearing that SpammerForce is now being used for malware does not surprise me in the least. Firewall them, and enjoy a much cleaner (and safer) inbox.
Re: (Score:2)
>"Salesforce errr SpammerForce is a spam for hire outfit. I've seen nothing but bullshit from them to both my work email, and my personal accounts"
Same here. I get spam to my users from Salesforce, Mailchimp, Google, Outlook, Sendgrid, ConstantContact, etc, etc, etc. I have thousands of domains blocked and Salesforce is one of them. We then have to whitelist senders within Salesforce. It is a never-ending battle, because legit sites that use services like Salesforce often don't have a legit "from" ad
Re: (Score:2)
I'm going to go somewhat generic on the topic even though I agree that Salesforce is the biggest source of the abuse (and I kind of like the tag "SpammerForce", too).
There are plenty of legitimate businesses that get suckered by "marketing consultants" that promise them big results via personalized "contacts" to vast numbers of potential customers. The consultants are only experts at feeding BS both ways, down to people who never signed up for the spam and up to the businesses that think they are buying new
Re: (Score:2)
>"But I'm still waiting for the iterative spammer-fighting tool that would let the large number of spam haters work together to put the spammers out of business. I imagine it as a webform from the spammer-fighting email service. On each iteration I'd confirm [...]But I'd settle for helping with the targeting."
I report every spam I get (the ones that get through our measures) to Spamcop. This requires logging into their site and cutting/pasting in the entire raw "source" of the message content, and confi
Re: (Score:2)
I have come across some badly coded websites that try to validate email addresses by probing the mail server and they interpret the 451 code from postgrey as an indication that the email address doesn't exist.
Re: (Score:2)
>"I have come across some badly coded websites that try to validate email addresses by probing the mail server and they interpret the 451 code from postgrey as an indication that the email address doesn't exist."
We, too, have had situations where sites do not handle 451 correctly. It is amazing that sites can just completely screw up the most basic of Email rules.... and, of course, sometimes the users (of both the offending site and MY site) point the blame at OUR system being "broken" because the Emai
Re: (Score:2)
I see it differently. There are servers that are deliberately screwing with SMTP for the sake of spewing more spam. And they are being paid to do it, too. If there was no money in the spam, it would mostly go away. Even the religious and political fanatics are mostly spamming for the money.
On the basis of this thread, it seems I should take another look at SpamCop. I used it for a while years ago, but it became useless. At least that's how it seemed to me.
I still want the iterative anti-spammer tool, but in
Re: (Score:2)
s/it's absence/its absence/
*sigh*
Re: (Score:2)
>"On the basis of this thread, it seems I should take another look at SpamCop. I used it for a while years ago, but it became useless. At least that's how it seemed to me."
The use of RBL's has been productive. Not as important as my own blacklists, but still very important, especially for true "junk spam" (the kind coming from no-name domains). The Spamcop RBL is a useful part of our spam control, but alone it is no salvation. But it is the only one (I know of) that allows direct submission of spam. S
Re: (Score:2)
I'm only looking a bit at the spam for one routing, but it seems that these days the bulk of that spam is coming from sources that RBL can't deal with. Used to be AWS or the main mobile phone network of Japan, but these days it's mostly Facebook or Gmail or Salesforce. Presumably automated or semi-automated throwaway accounts with shotgun distribution via zombots.
What I want is a tool to go after the links between the suckers and the spammers. If the suckers can't connect to the spammers, then they can't se
Is SalesForce used to send any other kind? (Score:2)
Phishing is, after all, email designed to make you think you are getting something you are not. That's pretty much the definition of emails sent by SalesForce servers.
OK so maybe there are categories of phishing, some less awful than others. But they ALL lie to you.
Re: (Score:2)
Yes, of course there is.
Phishing is criminal that is trying to cause 100% mayhem on your computer, accounts, reputation, your employer and whatever they can get their hands on. This is "block forever" stuff.
Commercial spam is more benign, it only wants your money. Often in limited ways. Maybe they improve themselves, now and then. You may not want to block a commercial sender "forever" (there really are commercial senders that have technical difficulties, ending up on blacklists).
Very big difference.