Particle.news
Download on the App Store
5 ARTICLES
·
3w ago

Voice phishing campaign uses fake Salesforce Data Loader to steal and extort corporate data

Google traces the UNC6040 operation to around 20 organizations, revealing months-long intrusions before extortion demands

The company logo for Salesforce.com is displayed on the Salesforce Tower in New York City, U.S., March 7, 2019. REUTERS/Brendan McDermid/File Photo
Image
Image
Image

Overview

  • UNC6040 hackers place voice calls that trick employees into approving a counterfeit Salesforce Data Loader connected app
  • Once installed, the malicious tool grants attackers broad rights to access, query and exfiltrate sensitive information and move laterally across networks
  • Approximately 20 companies in Europe and the Americas have been targeted, with some experiencing successful data theft followed by delayed extortion demands
  • Attackers hide their infrastructure behind Mullvad VPN addresses and maintain ties to the loosely organized Com cybercrime ecosystem
  • Salesforce stresses its platform remains secure and advises clients to restrict API permissions, block untrusted VPNs and enhance employee cybersecurity training