A sophisticated cybercriminal operation has successfully infiltrated at least 20 organizations across multiple sectors by deploying fraudulent Salesforce applications through elaborate voice-phishing schemes. The campaign, coordinated by threat actors tracked as UNC6040 by Google’s Threat Intelligence Group, has targeted hospitality, retail, education, and multinational corporations throughout Europe and America since the beginning of the year.
The attackers employ highly refined social engineering tactics, impersonating Salesforce or IT support representatives during telephone calls to unsuspecting employees. Victims are directed to fraudulent setup pages hosting malicious applications that closely mimic the legitimate Salesforce Data Loader tool. These deceptive interfaces incorporate authentic Salesforce branding and terminology, considerably increasing the likelihood of successful deception. Zero-day exploits can amplify the effectiveness of these attacks by targeting previously unknown vulnerabilities in the software.
Attackers use sophisticated voice phishing to direct victims toward fraudulent Salesforce applications featuring authentic branding and technical terminology.
During these vishing calls, criminals guide employees step-by-step through installation and authorization processes, targeting individuals with administrative access to Salesforce applications. The attackers demonstrate sophisticated understanding of legitimate Salesforce procedures, referencing actual processes and using appropriate technical language to establish credibility. This methodology bypasses traditional security awareness training, which often fails to address modern app-based social engineering techniques.
Once employees authorize the malicious applications, attackers gain heightened access to corporate systems, enabling extensive data exfiltration and internal reconnaissance. Several incidents have escalated beyond initial data theft, with criminals attempting extortion after accessing sensitive corporate and customer information. The threat group has demonstrated capability for lateral movement within compromised networks, expanding their access beyond initial entry points.
Google’s security teams have identified connections between UNC6040 and “The Com,” another group known for organizational fraud and violence, though UNC6040 operates as a distinct entity with similarities to “Scattered Spider” tactics. Financial motivation drives these operations, with attackers focusing on large-scale data theft and subsequent monetization efforts. The sophistication of this operation reflects the cybercriminal ecosystem’s increasing collaboration and resource sharing among threat actors. Notably, UNC6040 has not deployed ransomware within this campaign, distinguishing their tactics from other threat groups.
Organizational vulnerabilities include insufficient verification protocols for third-party app installations, inadequate multi-factor authentication implementation, and over-reliance on remote IT support channels. Companies utilizing English-speaking employees in multinational branches face particular exposure to these impersonation tactics.
Both Google and Salesforce have issued security advisories, urging organizations to independently verify IT support requests through established channels before complying with installation directives.
