Cybersecurity researchers have uncovered a sophisticated social engineering campaign targeting businesses using Salesforce, where attackers impersonate IT support staff to gain unauthorized access to sensitive customer data. The attacks have successfully compromised at least 20 organizations across the United States and Europe, highlighting the persistent threat of human-centered cyberattacks in enterprise environments.
The Voice Phishing Attack Method
The cybercriminals behind this campaign employ a deceptively simple yet effective approach known as vishing, or voice phishing. Attackers contact employees directly by phone, posing as legitimate IT support personnel from their organization. During these calls, unsuspecting workers are guided to visit fraudulent Salesforce setup pages where they're instructed to download what appears to be the legitimate Salesforce Data Loader application.
The malicious version of this tool, while appearing identical to the authentic software, grants attackers direct access to the organization's Salesforce database. Once installed and connected, the criminals can immediately query, access, and export vast amounts of sensitive customer records and business data. In alternative scenarios, the attackers simply request login credentials and multi-factor authentication codes directly from employees during the phone call.
 |
|---|
| The illuminated laptop keyboard symbolizes the digital platforms attackers exploit during voice phishing attacks |
Attribution and Criminal Network Connections
Google's Threat Intelligence Group has identified the primary group behind these attacks as UNC6040, which specializes in voice-based social engineering techniques. However, the operation appears to involve multiple criminal entities working in coordination. The actual extortion demands often don't surface until months after the initial data theft, suggesting a secondary group handles the monetization phase of the operation.
These attackers have demonstrated connections to a broader cybercriminal ecosystem known as The Com, a loosely affiliated network of hackers primarily based in the United States, United Kingdom, and Western Europe. Members of this collective, including the notorious Scattered Spider group, have previously been linked to high-profile attacks involving IT staff impersonation and SIM-swapping operations targeting cryptocurrency theft.
Technical Infrastructure and Access Methods
The attackers employ sophisticated operational security measures to mask their activities. They utilize Mullvad VPN IP addresses to access compromised Salesforce environments, making attribution and tracking more challenging for security teams. Once initial access is established, the criminals demonstrate advanced lateral movement capabilities, expanding their reach to other cloud-based platforms including Microsoft 365 and Okta systems.
The group's methodology extends beyond simple credential theft. They systematically harvest authentication information through multiple channels and use these credentials to establish persistent access across various cloud services within the target organization's infrastructure.
Industry Impact and Recent Breach Context
This campaign emerges against a backdrop of escalating cyberattacks targeting major retailers and corporations. Recent months have witnessed significant security incidents affecting prominent brands including Marks & Spencer Group, which faces a GBP 300 million impact to operating profit from an April ransomware attack. Other affected organizations include Co-op Group, Adidas AG, Victoria's Secret & Co., Cartier, and North Face, though Google's research doesn't definitively link these incidents to the Salesforce-focused campaign.
Platform Security and Vendor Response
Both Google and Salesforce emphasize that these attacks exploit human vulnerabilities rather than technical flaws in the platforms themselves. Salesforce representatives confirmed that no inherent vulnerabilities in their services contributed to these breaches. The company had previously warned customers about similar social engineering tactics in a March blog post, providing guidance for protection against such attacks.
The incidents underscore the persistent challenge of social engineering in cybersecurity, where even well-trained employees can fall victim to convincing impersonation attempts. Despite extensive security awareness training programs, attackers continue to find success through direct human manipulation rather than technical exploitation.