Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Businesses IT Technology

Fake IT Support Calls Hit 20 Orgs, End in Stolen Salesforce Data and Extortion, Google Warns (theregister.com) 8

A group of financially motivated cyberscammers who specialize in Scattered-Spider-like fake IT support phone calls managed to trick employees at about 20 organizations into installing a modified version of Salesforce's Data Loader that allows the criminals to steal sensitive data. From a report: Google Threat Intelligence Group (GTIG) tracks this crew as UNC6040, and in research published today said they specialize in voice-phishing campaigns targeting Salesforce instances for large-scale data theft and extortion.

These attacks began around the beginning of the year, GTIG principal threat analyst Austin Larsen told The Register. "Our current assessment indicates that a limited number of organizations were affected as part of this campaign, approximately 20," he said. "We've seen UNC6040 targeting hospitality, retail, education and various other sectors in the Americas and Europe." The criminals are really good at impersonating IT support personnel and convincing employees at English-speaking branches of multinational corporations into downloading a modified version of Data Loader, a Salesforce app that allows users to export and update large amounts of data.

Fake IT Support Calls Hit 20 Orgs, End in Stolen Salesforce Data and Extortion, Google Warns

Comments Filter:
  • by Joe_Dragon ( 2206452 ) on Wednesday June 04, 2025 @01:21PM (#65427531)

    blame outsourcing for parts of this.
    Like on both sides vendor and organization.

    • by mjwx ( 966435 )

      blame outsourcing for parts of this.
      Like on both sides vendor and organization.

      But also remember that there are just as many dumb people here... and outsourcing hasn't affected them nearly as much.

  • Wonder it it might help mitigate this if one used SSO with Salesforce, and there, used phish resistant authentication. This way, it makes it a lot harder because the user would actively have to change things to give an attacker info.

    • If you can get a user working with you, you can get them to do a Sign-In. It is a game of social engineering.

    • It has nothing to do with technology it's just a phishing hit, stupid people are always going to do stupid things.

      I'm sure they already are using SSO it's been a standard banking regulation for a decade now at the fortune 100 size.

      • Phish resistant SSO is a step above TOTP. It is either the user selecting one of a few multiple choices, or using an auth token like a YubiKey. This ensures that the authenticator has its own path, and authenticates to the site in question, and highly resistant to MITM attacks.

        For most things, Google Authenticator and TOTP works well, but this is just the next step up.

  • In other words... (Score:5, Insightful)

    by YuppieScum ( 1096 ) on Wednesday June 04, 2025 @03:15PM (#65427836) Journal

    Large companies have been cutting costs by ditching experienced and capable staff and replacing them with poorly-trained/gullible/out-sourced people who nevertheless have sufficient system privileges and lack of oversight to download and run random executables from the internet.

    Until the C-suite types responsible for this sort of idiocy are fired, fined and prosecuted, nothing will change.

  • “On these social engineering phone calls, the crooks persuade the victims to open the Salesforce connect setup page — this feature allows other applications to integrate with Salesforce and share data — by pretending to be IT support. The set-up page asks the user to enter an eight-digit connection code [theregister.com] to connect to third-party apps, UNC6040 provides this code over the phone, and this links the attacker-controlled Data Loader to the victim's Salesforce environment.”

Whenever people agree with me, I always think I must be wrong. - Oscar Wilde

Working...