Skip to content

Hackers have found a new way to steal Facebook account details by exploiting a weakness in Salesforce’s email service. This flaw, nicknamed “PhishForce,” allows threat actors to send phishing emails through Salesforce, a trusted source, making it easier for these dangerous emails to evade detection and land in your inbox.

What’s happening?

The hackers are using a feature in Salesforce called “Email-To-Case” to bypass security measures and send out phishing emails. These emails appear to come from Meta (the company that owns Facebook) and are designed to trick you into revealing your Facebook login details.

Figure 1 – PhishForce Attack Chain

How does it work?

When you click on a link in one of these phishing emails, you’re taken to a fake page that looks like it’s part of Facebook’s gaming platform. This makes the scam seem more legitimate and harder to spot. Interestingly, Facebook retired this gaming platform in July 2020, but it seems that hackers have found a way to access old accounts that still have access to it, possibly by buying them on the dark web.

Figure 2 – An example of the phishing email used in the attack.

What’s being done about it?

Salesforce has taken steps to fix the problem on its end, and its solution was implemented on July 28, 2023. However, the issue with Facebook’s gaming platform still exists, and Meta’s engineers are working hard to figure out why their existing security measures aren’t stopping the attacks. In the meantime, Meta has taken down the phishing pages that they’ve found.

How can you protect yourself?

Here are some steps you can take to stay safe:

  • Be cautious with your emails. Look for inconsistencies, and double-check the sender’s address and name.
  • Use multi-factor authentication (MFA) for your accounts. This adds an extra layer of protection.
  • Keep all your systems up-to-date with the latest patches. This can help prevent exploits if you accidentally click on a phishing link or download a malicious file.
  • Report any suspicious emails as spam. This helps your email filters learn and adapt.
  • Don’t download attachments unless you’re sure they’re safe.
  • If you’re a business owner, consider running phishing awareness campaigns for your employees.

Related Links: