Particle.news

Download on the App Store

Voice phishing campaign uses fake Salesforce Data Loader to steal and extort corporate data

Google traces the UNC6040 operation to around 20 organizations, revealing months-long intrusions before extortion demands

The company logo for Salesforce.com is displayed on the Salesforce Tower in New York City, U.S., March 7, 2019. REUTERS/Brendan McDermid/File Photo
Image
Image
Image

Overview

  • UNC6040 hackers place voice calls that trick employees into approving a counterfeit Salesforce Data Loader connected app
  • Once installed, the malicious tool grants attackers broad rights to access, query and exfiltrate sensitive information and move laterally across networks
  • Approximately 20 companies in Europe and the Americas have been targeted, with some experiencing successful data theft followed by delayed extortion demands
  • Attackers hide their infrastructure behind Mullvad VPN addresses and maintain ties to the loosely organized Com cybercrime ecosystem
  • Salesforce stresses its platform remains secure and advises clients to restrict API permissions, block untrusted VPNs and enhance employee cybersecurity training