Recommended reading

Fake IT support voice calls lead to cyber extortion and stolen company data

News
By published

Hackers are tricking employees into downloading malware

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
(Image credit: Shutterstock)
  • Google experts warning of ongoing vishing campaign
  • Threat actors impersonate IT support and trick people into downloading malware
  • They use fake Salesforce apps to steal data

Around 20 companies lost their data when cybercriminals impersonated Salesforce and tricked them into downloading malicious software, experts have warned.

A new Google Threat Intelligence Group (GTIG) report has revealed how a threat actor tracked as UNC6040 has been targeting organizations in the West for months now.

They would call businesses in hospitality, retail, education, and other verticals on the phone, and pretending to be IT support, trick the employees into downloading and installing a tainted version of Salesforce Data Loader, a client application used to bulk import, export, update, delete, or insert data in Salesforce, primarily used by administrators and developers to handle large volumes of data that can’t easily be managed through the Salesforce web interface.

"Significant capabilities"

By installing the malicious program, the victims would grant UNC6040 “significant capabilities” to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments, GTIG explained.

Google also said that months would pass between the time they would steal the data, and the moment they would reach out trying to extort the victim for money.

This, the researchers speculate, could mean that one group is doing the stealing, and another one the negotiating. UNC6040 has claimed affiliation with groups such as ShinyHunters in the past, and could be part of “The Com”, a large, loosely-connected collective of cybercriminals.

Infamous groups such as Scattered Spider are also part of this underground ecosystem.

Finally, Google stressed that in all observed cases, the attackers relied on manipulation and tricks, targeting the people, not the system.

No vulnerabilities inherent to Salesforce were found, or used, in this campaign - therefore, the best way to defend against this, and other similar campaigns, would be to educate employees on the dangers of phishing and their variants (smishing, vishing, quishing, and others).

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.