CTI Roundup: Google AMP & Salesforce Exploited for Phishing Attacks

In this week’s roundup, CTI explores how threat actors are abusing Google Accelerated Mobile Pages (AMP) to bypass email security measures and access employee login credentials. Next up is a look at how threat actors are exploiting a vulnerable flow in Salesforce’s email services and SMTP servers to launch a sophisticated phishing campaign targeting Facebook accounts. Finally, CTI looks into a report linking Russian actor BlueCharlie to almost 100 new domains.

1. Threat actors abuse Google AMP for evasive phishing attacks

According to Cofense, an increasing number of phishing campaigns are abusing AMP to bypass email security measures. These campaigns embed Google AMP URLs in phishing emails and take advantage of the Google domain’s good reputation.

Google AMP: An overview

Google AMP is an open-source HTML framework for creating websites that are optimized for mobile use. The web pages are visible on Google Search and can also use Google AMP Cache and Google Analytics to track user interactions. Web pages created via Google AMP are initially hosted on a Google AMP URL like google.com/amp/s/or google.co.uk/amp/s/.

Threat actors are now hosting malicious web pages using the Google AMP URL path within their phishing emails with the intent of stealing employee login credentials. Since the URLs are hosted on legitimate Google domains, it can be difficult for email security tools to detect the malicious nature of these emails.

This trend of campaigns abusing Google AMP appears to have picked up in May and has remained in the threat landscape since. Cofense observed a change in tactics on June 15th, when google.co.uk was used within the Google AMP URLs. The overall idea is the same, but the URL is hosted on Google UK TLD instead. Of the Google AMP URLs observed by Cofense, they found 77% to be hosted on google.com, while the rest were hosted on Google’s UK TLD.

Threat actors use a combination of TTPs

Threat actors are employing this new Google AMP tactic along with tried-and-true methods that contribute to the effectiveness of a phishing email.

The following TTPs have been observed in a range of phishing emails that are leveraging Google AMP URLs as embedded links:

• Trusted domains: The AMP tactic is effective because it hosts a URL on a trusted domain like Google. This complicates automated analysis and makes blocking these sites difficult.
• Image-based phishing emails: Many of the emails observed by Cofense in this campaign are image-based, meaning they do not contain a traditional email body and instead have an HTML image. These can be more difficult to detect than text-based emails because the image can add more noise within the header.
• URL redirection: URL redirection is a very popular tactic for disrupting email analysis, especially when there are multiple redirects within a single phishing attack chain. In one case observed by Cofense, the redirection was being hosted on Microsoft.com while also redirecting to the Google AMP domain. This added an additional layer of false legitimacy.
• Cloudflare CAPTCHA: The abuse of CAPTCHA has also become a very popular anti-analysis tactic and was seen in the Google AMP phishing campaign. The legitimate domain security service requires manual interaction before reaching the final malicious URL.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The use of Google AMP URLs in phishing campaigns is certainly an evolution, and further proves that threat actors are always looking for ways to improve their craft.”

“Google AMP URLs have a common path and blocking it would also restrict all legitimate cases of Google AMP URLs — making it difficult to protect against phishing emails. Flagging or alerting on these domains may help, but it ultimately comes down to educating users on the latest phishing threats.”

2. Hackers exploit Salesforce’s email services in targeted Facebook phishing campaign

Hackers are now exploiting a vulnerability in Salesforce’s email services and SMTP servers to launch a sophisticated phishing campaign targeting Facebook accounts.

The emails appear to be coming from Meta but originate from a Salesforce email domain. Researchers have since worked with Salesforce to resolve and fix the vulnerability.

Campaign details

Guardio Labs analyzed a sophisticated Facebook phishing scheme that takes advantage of a vulnerability in Salesforce. The well-crafted phishing email mentions the target’s name and masquerades as an email from Meta Platforms. It also contains a large button that says, “request a review,” which leads the target to the phishing page with the goal of grabbing the user’s Facebook account details.

The phishing page is hosted as a game under the Facebook apps platform using the apps[.]facebook[.]com domain. This creates the illusion that the support page is part of your Facebook account.

Exploiting Salesforce’s email gateway

Salesforce’s email gateway is designed to send a large volume of emails to customers across the globe. Prior to sending out an email, the system will verify the ownership of the domain name it is about to use to send the message. This domain will be shown alongside the “from” field and confirms that Salesforce has permission to send emails as this brand.

An email address must be verified to be able to send emails. Clicking on the verification link sent to that desired email inbox gives Salesforce permission to configure the outgoing emails. After verifying an address, the user can select it on outgoing email prompts.

When diving into the email headers, Guardio realized that the domain of the “from” address field has a sub-domain generated per a specific Salesforce account using the “case” magic word. The address is user-controlled under Salseforce’s Email-To-Case feature which automatically converts customer inbound emails into actionable tickets in Salesforce.

Exploiting Salesforce to get brand ownership

While digging deeper into the validation process, researchers discovered that it’s possible to receive emails that go to specific salesforce.com addresses and access their content using Salesforce’s ticketing system.

To recreate this, Guardio started by creating an Email-To-Case flow which gave them full control of the username portion of the Salesforce email address. They selected Salesforce as the username, leaving them with the following email address to abuse: salesforce@{account_id_hash}.case.salesforce[.]com.

They now had an email address that looks like one they had seen in the wild for phishing campaigns. They went on to verify this email as an “Organization-Wide Email Address” to make the Salesforce Mass Mailer Gateway use this address in the official outbound flow.

After verifying the email, they created a new Organization-Wide Email Address using the newly generated salesforce address. This triggered the verification flow that sent the email to the routing address, ending up as a new task in the system. From here, the threat actors can go on and create various kinds of phishing schemes coming from a salesforce.com email sender. These messages are more likely to end up in the inbox of targeted victims because they come from Salesforce.

Abusing the Facebook apps domain

Guardio also witnessed the abuse of the Facebook apps domain. As of July 2020, there is no longer a way to create legacy game canvases with app IDs under the Facebook ecosystem. This campaign, however, seemed to still have this power.

According to Meta, it is still possible to retain support for legacy games that were developed prior to this deprecation, making them attractive to threat actors. Guardio has reached out to Meta, and Meta is currently doing a root cause analysis as to why detections and mitigations in place did not work.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“This campaign includes legitimate links to Facebook and is sent via Salesforce email addresses, so it’s unsurprising that researchers are seeing this slip through some traditional anti-phishing solutions.”

Guardio sums up the concerns quite well:

A concerning aspect of this ongoing battle is the exploitation of seemingly legitimate services, such as CRMs, marketing platforms, and cloud-based workspaces, to carry out malicious activities. This represents a significant security gap, where traditional methods often struggle to keep pace with the evolving and advanced techniques employed by threat actors.

3. Russian actor BlueCharlie alters infrastructure in response to disclosures

Recorded Future has linked Russia-nexus threat actor BlueCharlie to almost 100 new domains in the past few months.

The group is actively modifying its infrastructure in response to public disclosures of its activities. Many of the TTPs seen in recent operations depart from the group’s previous activities, suggesting an evolution.

What is BlueCharlie?

BlueCharlie is a Russia-linked threat actor that goes by various names including Callisto, Star Blizzard, COLDRIVER, TAG-53, and formerly, Seaborgium. It conducts info-gathering campaigns to achieve further espionage and conduct hack-and-leak operations.

BlueCharlie carries out persistent phishing/credential theft campaigns and tends to use open sources to conduct reconnaissance prior to its intrusion. In one case, the threat actor created fraudulent profiles across social media platforms to conduct reconnaissance on targeted entities.

The group appears to have changed its TTPs after public reporting exposed its credential-harvesting infrastructure.

Domain name structure

BlueCharlie recently shifted its use of certain words in its domains to a new pattern. Previous domains were made up of two terms which were separated by a hyphen. One example is cloud-safety[.]online. This prior activity relied on a trailing URL structure for phishing attacks which Recorded Future has not yet observed in recent activity.

The new naming convention is consistent and similar across all 94 domains identified by Recorded Future. The new domains relate to themes centered around information technology and cryptocurrency with names like cloudrootstorage[.]com, directexpressgateway[.]com, storagecryptogate[.]com, or pdfsecxcloudroute[.]com.

BlueCharlie’s registrars

The registrars used by BlueCharlie have also shifted. Previously, PorkBun accounted for over 50% of domain registrars used by BlueCharlie. With current activity the group overwhelmingly prefers the NameCheap registrar.

Autonomous systems

Recorded Future has identified the ASNs where the BlueCharlie IPs were most commonly found for both previous and current activity. Previous industry reporting suggests that Stark Industries, MIRhosting, and PQ Hosting are related and are frequently used to host malicious content or used in attack infrastructure.

X.509 TLS certificates

Previously, the identified BlueCharlie domains were found to host corresponding X.509 TLS certificates by Let’s Encrypt. In its latest activity, the group continues to rely almost entirely on Let’s Encrypt certificates. There was one exception to this rule with the domain bittechllc[.]net, which used the ZeroSSL Certificate Authority.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The last time BlueCharlie’s infrastructure was publicly exposed, they shifted to new TTPs and new infrastructure. Considering this, it’s plausible that Recorded Future’s public reporting will cause them to react the same this time around. The group is sticking to its roots of phishing, reminding us yet again of the importance of training and awareness.”

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.