New Vishing Threat ‘Particularly Effective’ at Tricking Employees to Steal Salesforce Data

Instances of Salesforce inside organizations have become targets of voice phishing (vishing) campaigns that aim to compromise large amounts of data and apply extortion tactics. The threat known as UNC6040 “has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements” over the past several months, according to Google Threat Intelligence Group (GTIG), which is tracking the vishing campaign.

UNC6040 “has proven particularly effective” in tricking employees into sharing sensitive credentials, ultimately resulting in the theft of an organization’s Salesforce data. The targets are often English-speaking branches of multinational corporations.

“In the past year, we’ve observed an uptick in the use of vishing for initial access,” Genevieve Stark, head of cybercrime and hacktivism analysis at GTIG, told TechRepublic. “Many of these incidents have targeted IT support staff, who typically have elevated privileges for managing accounts and installing software.”

To date, about 20 organizations have been affected, GTIG said.

Victims unknowingly authorize an illegitimate data loader app

The actor deceives victims into authorizing a malicious connected app, often an unauthorized and modified version of Salesforce’s Data Loader, to access their organization’s Salesforce portal.

Salesforce designed Data Loader to efficiently import, export, and update large volumes of data within its platform.

During a vishing call, the actor directs the victim to Salesforce’s connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version. This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.

In some cases, extortion attempts aren’t observed until months after UNC6040 is given access to Salesforce, which GTIG says “could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data.”

Vishing threat seeks user credentials and MFA authentication codes

UNC6040 has demonstrated lateral movement by leveraging applications on the Salesforce platform to access an Okta phishing panel. Victims are tricked into visiting this panel from their mobile phones or work computers during the social engineering calls.

To authenticate and add the Salesforce Data Loader application, UNC6040 has also directly requested user credentials and multifactor authentication (MFA) codes to facilitate data exfiltration and further lateral movement.

How to reduce vishing attacks

Given that threat actors conducting vishing attacks often leverage social engineering tactics to reset account passwords, Stark recommends that organizations, follow these tips to mitigate their risk.

• Rigorously verify identity: Train service desk personnel to confirm employee identity before any account modifications or sharing of security-sensitive information, especially for privileged accounts.
• Enforce least privilege: Grant users only essential permissions, particularly for data access tools.
• Implement out-of-band verification: For high-risk changes such as MFA resets and privileged password changes, use secondary verification methods such as call-backs or corporate email confirmations.
• Apply IP-based access restrictions: Limit unauthorized access attempts, including those from commercial VPNs.

Keep your entertainment at your fingertips with the Amazon Fire TV Stick 4K! Enjoy streaming in 4K Ultra HD with access to top services like Netflix, Prime Video, Disney+, and more. With an easy-to-use interface and voice remote, it’s the ultimate streaming device, now at only $21.99 — that’s 56% off!

With a 4.7/5-star rating from 43,582 reviews and 10K+ bought in the past month, it’s a top choice for home entertainment! Buy Now for $21.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!