Google Alerts on Fraudulent Salesforce App Fueling Hacks

Hackers Use Simple Phone Calls

Hackers are getting creative by using nothing more than a phone call to start their attacks. They pretend to be IT support or trusted tech partners, calling employees directly. Their voices sound professional, calm, and convincing, making the request seem urgent but routine.

Once the employee trusts them, they guide them step-by-step to install a so-called “necessary update.” This update is actually a dangerous, modified app. By avoiding complicated hacks and simply exploiting trust, these cybercriminals can open doors to massive amounts of company data within minutes.

The Fake Salesforce App

Hackers create a fake version of Salesforce’s Data Loader that looks completely legitimate, from logos to interface. Once installed, it quietly collects sensitive company data without the employee realizing it.

The hackers cleverly designed it to avoid immediate suspicion, allowing them to gather information for extended periods. The longer it stays unnoticed, the more data it can quietly extract. This silent harvesting of valuable business records makes the attack extremely dangerous and hard to detect quickly.

What Data Loader Normally Does

Salesforce’s real Data Loader helps companies safely upload large volumes of customer data into the system. Employees depend on it to manage sales records, client details, financial transactions, and other vital information with ease.

Because it’s widely used in daily operations, many employees don’t question installing updates or versions of the app when prompted. This normal familiarity is exactly what the hackers exploit, turning an everyday tool into an unexpected doorway for massive data breaches.

How The Trap Gets Set

Hackers design the fake app to perfectly mimic Salesforce’s Data Loader, copying every detail from setup to interface. From unknown phone calls, employees are directed to a fake setup page, believing they’re following standard procedures.

Once permissions are granted, the hackers gain full control. Because the entire process feels so normal, most employees never suspect they’ve been tricked. This clever setup gives attackers deep access while leaving the victims completely unaware of the danger.

Full Access Gained Instantly

Once the malicious app is approved, hackers gain full access to company records in Salesforce, exposing financial, employee, and customer data. They can copy, alter, or delete critical files without immediate detection.

The speed of this takeover is alarming, allowing them to gather massive amounts of information quickly. By the time companies realize what’s happened, hackers often already hold critical data that can be used for blackmail or illegal sales.

Moving Deeper Into Networks

After breaching Salesforce, hackers move into other connected company systems using stolen credentials. These linked networks let them navigate between departments, expanding their access and potential damage.

This lateral movement allows them to gather even more sensitive information, including internal documents, private messages, and financial accounts. Each new system they breach gives them fresh opportunities to steal data, making the overall damage far more severe and widespread.

Targeting Cloud Services

Hackers use stolen credentials to infiltrate cloud platforms like Okta, Microsoft 365, and Workplace, which store sensitive emails, financial data, and employee records. Using advanced methods, they quietly extract valuable information while avoiding detection.

These cloud systems can also contain valuable intellectual property, making them attractive targets. Because cloud services operate remotely, the hackers can continue stealing data for long periods without ever setting foot inside the company’s physical office.

Attacks Hitting Multiple Industries

This hacking campaign targets a wide range of industries, including retail, hospitality, and education. Both small businesses and large corporations using Salesforce and Google Cloud services have fallen victim, proving no one is fully safe.

Each industry holds different valuable data and customer records, personal information, or financial details, all of which can be sold or exploited. By attacking diverse sectors, the hackers ensure a steady stream of victims and potential profits, making the campaign both broad and dangerous.

A Group Known As UNC6040

Google’s security team identified UNC6040 as the group behind these attacks, through convincing setups. Instead of complex coding, they exploit human errors to gain access and steal sensitive data.

Their ability to manipulate people lets them bypass even strong security systems, making them highly dangerous. Smooth conversations replace suspicious emails, turning simple talks into effective hacking tools.

Ties To “The Com” Group

UNC6040 often delays ransom demands, waiting months after stealing data to catch victims off guard and pressure them into paying. Tied to the larger “The Com” network, they collaborate with loosely connected teams that share tools and stolen data.

Their shared knowledge and cooperation enable them to strike businesses worldwide with greater efficiency. The existence of such a broad group highlights how global cybercrime has become a tangled web of shifting partnerships and collaborations.

Extortion After Data Theft

The hackers delay ransom demands, striking long after the initial breach to catch victims off guard. This tactic increases pressure, as companies face unexpected threats over data they believed was secure.

This delay increases pressure, as companies struggle to respond to an old breach they thought was contained. The longer the hackers wait, the more they can study the stolen data and determine the most valuable pieces for blackmail.

Only A Limited Number Affected

Although only around 20 organizations have been identified, the selective targeting makes each breach extremely serious. Some attacks went unnoticed for months, increasing the risk and potential damage before discovery.

Each successful breach results in massive amounts of stolen data. The limited reach doesn’t reduce the seriousness, as every victim faces significant financial, legal, and reputational consequences from having their private information exposed.

Salesforce Responds Quickly

Salesforce has made it clear that its platform itself isn’t broken or compromised. The issue lies in employees being tricked into granting access. The company is working hard to warn users about these voice phishing attacks and how to recognize them.

Salesforce is strengthening customer education to help employees recognize threats and avoid falling for scams. While their security remains solid, the company stresses that user awareness and caution are key to preventing future attacks.

The Role Of Social Engineering

This attack shows how dangerous social engineering can be. Hackers don’t need to break codes or systems when they can simply trick people into opening the door for them. By building trust over the phone, they bypass even strong firewalls and security protocols.

Teaching employees to recognize suspicious requests is now more important than ever. With well-practiced scripts and convincing stories, these hackers turn a friendly conversation into an open invitation to steal sensitive information and access entire networks.

Growing Risk With Cloud Integration

This growing web of connected services gives hackers more opportunities to spread once they gain access. Stronger security measures are crucial to limit the damage of a single breach.

While cloud services offer great convenience and flexibility, they also expand the attack surface. Companies must ensure regular monitoring, access controls, and staff training are key to keeping these complex, interconnected systems protected from sophisticated threats.

Want to see how scammers are targeting everyday users? Don’t miss our quick breakdown of the Google PayPal phishing scam.

Staying Safe Against Vishing

Companies are urging employees to stay cautious whenever receiving unexpected calls from supposed tech support. Cybersecurity teams are setting up stricter protocols, and workers are trained to verify identities before following instructions or installing software.

Ongoing training and awareness programs help staff recognize the signs of a vishing attack. The best defense is a well-informed team that questions every unexpected request before taking action.

Want to see how long hackers can hide in plain sight? Check out the full story on the year-long US telecom breach by China.

If your workplace has faced similar scams, share your experience in the comments, your story might help others stay safe.

Read More From This Brand:

• New Facebook Malware Attack Goes After Bitcoin
• AT&T Suffers Major Breach as 86 Million Decrypted Records Leak Online
• Massive Breach Exposes 184 Million Passwords Including Apple And Google Accounts

Don’t forget to follow us for more exclusive content right here on MSN.

If you like this story, you’ll LOVE our Free email newsletter. Join today and be the first to receive stories like these.

This slideshow was made with AI assistance and human editing.