Google Warns Customers of Data Breach via Fake Salesforce App

Google’s Threat Intelligence Group (GTIG) has issued a warning after uncovering a financially motivated hacking group, UNC6040, that is targeting its customers. The group is using a sophisticated social engineering technique known as “vishing” (voice phishing) to trick employees into installing a malicious, counterfeit version of the Salesforce Data Loader application. The hackers, posing as IT support staff, have successfully gained unauthorized access to customer Salesforce environments, allowing them to exfiltrate sensitive data. GTIG emphasizes that this is not a vulnerability within the Salesforce platform itself, but rather a result of human manipulation. The attacks have primarily targeted companies across Europe and the Americas. After breaching the Salesforce environment, the UNC6040 group attempted to pivot to other cloud services, including Okta and Microsoft 365, underscoring the interconnected risks of these attacks. This incident highlights the need for companies to reinforce employee security training and to implement multi-factor authentication as a standard practice.