Article Details

Fake IT support calls hit 20 orgs, end in stolen Salesforce data and extortion, Google warns. Victims include hospitality, retail and education sectors. A group of financially motivated cyberscammers who specialize in Scattered-Spider-like fake IT support phone calls managed to trick employees at about 20 organizations into installing a modified version of Salesforce's Data Loader that allows the crims to steal sensitive data. Google Threat Intelligence Group (GTIG) tracks this crew as UNC6040, and in research published today said they specialize in voice-phishing campaigns targeting Salesforce instances for large-scale data theft and extortion. These attacks began around the beginning of the year, GTIG principal threat analyst Austin Larsen told The Register.  "Our current assessment indicates that a limited number of organizations were affected as part of this campaign, approximately 20," he said. "We've seen UNC6040 targeting hospitality, retail, education and various other sectors in the Americas and Europe." The criminals are really good at impersonating IT support personnel and convincing employees at English-speaking branches of multinational corporations into downloading a modified version of Data Loader, a Salesforce app that allows users to export and update large amounts of data.  And while these tactics sound a lot like those used by Scattered Spider's crime crawlers, Larsen said UNC6040 is its own group — albeit with some overlap with another loosely organized band of miscreants, The Com.  "GTIG has identified some broad overlaps between UNC6040 and activity associated with the underground community The Com, which includes threat groups such as Scattered Spider," he noted. "However, UNC6040 appears to be distinct from UNC3944, which overlaps with a subset of Scattered Spider activity." On these social engineering phone calls, the crooks persuade the victims to open the Salesforce connect setup page — this feature allows other applications to integrate with Salesforce and share data — by pretending to be IT support. The set-up page asks the user to enter an eight-digit connection code to connect to third-party apps, UNC6040 provides this code over the phone, and this links the attacker-controlled Data Loader to the victim's Salesforce environment. UNC6040's infrastructure used to access Salesforce applications also hosted an Okta phishing panel they use to trick victims into visiting from their mobile phones or work computers.  "In these interactions, UNC6040 also directly requested user credentials and multifactor authentication codes to authenticate and add the Salesforce Data Loader application, facilitating data exfiltration and subsequent lateral movement," according to the Google report. Salesforce in March published guidance on how customers can protect their environment from these types of attacks that involve fake IT personnel phone calls. In the advisory, Salesforce warns of voice phishing being used to steal MFA tokens and trick victims into installing modified versions of Data Loader, so we'd suggest giving that a read, too. And after initially stealing the victim orgs' Salesforce data, UNC6040 sometimes moves sideways through the network, accessing and stealing sensitive info from other platforms including Okta, Workplace, and Microsoft 365. In some cases, the extortion happened several months after the initial break-in, according to Google. "This could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data," Larsen said. "To date, we haven't seen any instances of UNC6040 deploying ransomware during this campaign."