Fake IT support voice calls lead to cyber extortion and stolen company data
Hackers are tricking employees into downloading malware that exfiltrates important data.
- Google experts warning of ongoing vishing campaign
- Threat actors impersonate IT support and trick people into downloading malware
- They use fake Salesforce apps to steal data
Around 20 companies lost their data when cybercriminals impersonated Salesforce and tricked them into downloading malicious software, experts have warned.
A new Google Threat Intelligence Group (GTIG) report has revealed how a threat actor tracked as UNC6040 has been targeting organizations in the West for months now.
They would call businesses in hospitality, retail, education, and other verticals on the phone, and pretending to be IT support, trick the employees into downloading and installing a tainted version of Salesforce Data Loader, a client application used to bulk import, export, update, delete, or insert data in Salesforce, primarily used by administrators and developers to handle large volumes of data that can’t easily be managed through the Salesforce web interface.
"Significant capabilities"
By installing the malicious program, the victims would grant UNC6040 “significant capabilities” to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments, GTIG explained.
Google also said that months would pass between the time they would steal the data, and the moment they would reach out trying to extort the victim for money.
This, the researchers speculate, could mean that one group is doing the stealing, and another one the negotiating. UNC6040 has claimed affiliation with groups such as ShinyHunters in the past, and could be part of “The Com”, a large, loosely-connected collective of cybercriminals.
Infamous groups such as Scattered Spider are also part of this underground ecosystem.
Finally, Google stressed that in all observed cases, the attackers relied on manipulation and tricks, targeting the people, not the system.
No vulnerabilities inherent to Salesforce were found, or used, in this campaign - therefore, the best way to defend against this, and other similar campaigns, would be to educate employees on the dangers of phishing and their variants (smishing, vishing, quishing, and others).
You might also like
- The power of vishing: Why it's effective and how to avoid falling victim
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
