- The control point warns that sales sales tools are used in phishing attacks
- Attacks use the Facebook image as a lure
- The objective of the campaign is to steal the Facebook connection identification information
Cybercriminals have been observed abusing a legitimate duty service to attack people and businesses with phishing emails related to Facebook.
Check Point researchers warned against the current campaign on his blog, describing how criminals used the automated diffusion service that belongs to Salesforce as a marketing tool.
“In other words, they did not violate any service condition or Salesforce security systems,” said the researchers. “Rather, they normally use the service and choose not to change the sender’s ID. In this way, the e-mail is marked with the noreply e-mail address [at] Dirty [dot] com.
Fake booklet
The body of phishing email is not extraordinary. This is the usual threat “your Facebook account is being examined”, in which the victims are warned of the suspension of their account, unless they “check” their contact details. E-mail shares a link to a false Facebook assistance page, where sensitive information, such as passwords, is stolen.
The destination page is delivered with a bad attempt at Facebook logo (he says “Facelook”, where Crooks apparently wanted to make letters “lo” to look like the letter “B”).
Check Point indicates that more than 12,200 of these emails have been sent so far, “hundreds” targeting different companies. The majority of objectives are in the EU (45.5%) and the United States (45%), the remaining 9.5%targeting Australia.
“Nevertheless, versions of notifications have also been found in Chinese and Arabic, showing that the campaign was targeting companies in geographic places,” said Check Point.
Phishing continues to be one of the most popular attack vectors in 2025. It is cheap, scalable and omnipresent, which makes it an excellent tool for cybercriminals. And with a generative AI entering the mixture, phishing has become the ideal way to encourage victims to share connection identification information or install malware.
