Table of Contents
Why Are Cybercriminals Successfully Stealing Salesforce Data Through Phone Calls?
A sophisticated cybercriminal group designated UNC6040 has launched a targeted campaign against Salesforce users, employing voice phishing (vishing) techniques to compromise enterprise cloud environments and steal sensitive data. This ongoing threat demonstrates how social engineering continues to evolve as a primary attack vector against cloud-based business platforms.
Understanding the Vishing Attack Vector
Voice phishing represents a particularly insidious form of social engineering where cybercriminals conduct fraudulent telephone calls to extract sensitive information from unsuspecting victims. Unlike traditional phishing emails, vishing attacks leverage human psychology through direct voice communication, making them significantly more persuasive and difficult to detect.
The attackers employ sophisticated techniques including:
- Spoofed phone numbers to appear legitimate
- Voice-altering software to mask their identity
- Social engineering scripts designed to build trust
- Impersonation of trusted IT support personnel
UNC6040’s Salesforce Exploitation Strategy
The threat actors specifically target Salesforce environments by masquerading as legitimate IT support staff. Their primary objective involves convincing employees to install compromised versions of Salesforce’s Data Loader application – a legitimate tool designed for bulk data import and export operations.
Key Attack Components:
- Fraudulent IT support calls to targeted employees
- Distribution of modified Data Loader applications
- Credential harvesting through malicious software
- Lateral movement into additional cloud services and internal networks
The modified applications function as data collection tools, capturing login credentials and sensitive information that employees input during what they believe are routine data management tasks. This stolen data subsequently enables attackers to penetrate deeper into organizational infrastructure.
Scope and Impact Assessment
Intelligence analysis indicates approximately 20 organizations have fallen victim to this campaign, which commenced several months ago and remains active. The attacks demonstrate a broad targeting approach across multiple sectors including hospitality, retail, education, and various industries throughout Europe and the Americas.
The threat group exhibits opportunistic behavior, suggesting they continuously seek vulnerable targets rather than focusing on specific high-value organizations. This approach maximizes their potential victim pool while reducing the likelihood of attracting concentrated security attention.
Post-Breach Monetization Tactics
UNC6040 employs a delayed monetization strategy, often waiting months after initial compromise before attempting extortion. This patience suggests either sophisticated operational security awareness or potential collaboration with secondary threat actors who specialize in data monetization.
During extortion attempts, the group has falsely claimed affiliation with other known cybercriminal organizations, including ShinyHunters, likely to increase psychological pressure on victims and enhance their perceived threat credibility.
Infrastructure and Attribution Analysis
Google Threat Intelligence Group research has identified significant overlaps between UNC6040’s infrastructure and tactics with “The Com,” an underground cybercriminal community. This connection suggests UNC6040 operates within a broader ecosystem of related threat actors, including UNC3944 (also known as Scattered Spider).
Technical Indicators:
- Utilization of Okta phishing panels for credential harvesting
- Direct solicitation of multi-factor authentication codes
- Employment of Mullvad VPN infrastructure for data exfiltration
- Shared tactics, techniques, and procedures with related threat groups
Defensive Recommendations
Organizations can implement several protective measures to defend against these vishing attacks:
- Establish strict verification protocols for IT support requests
- Implement application whitelisting to prevent unauthorized software installation
- Conduct regular security awareness training focused on social engineering tactics
- Deploy endpoint detection and response solutions to identify suspicious applications
- Require multiple authorization levels for data loader installations
- Monitor network traffic for unusual data exfiltration patterns
The campaign highlights the critical importance of human-centered security controls, as technical safeguards alone cannot prevent social engineering attacks that exploit human trust and authority relationships.