Google Discovered a New Scam and Fell Victim to It
In an unexpected turn of events, Google recently revealed that it had been victimized by a scam it previously identified. In June, Google had uncovered a campaign that targeted Salesforce customers, where attackers posed as IT department staff, asking users for immediate account access. Intriguingly, Google later disclosed they had also fallen foul of the same scam.
Driven by financial motivations, these threat actors aim to extract data to sell back at high prices. They bypass traditional hacking methods, opting for a more straightforward technique: directly calling targets and requesting access. This method has unfortunately proven effective against several large corporations. As reported by Bleeping Computer, affected companies include Adidas, Qantas, Allianz Life, Cisco, and LVMH’s Louis Vuitton, Dior, and Tiffany & Co.
At the heart of the scam is the exploitation of a Salesforce feature. This feature lets users link their accounts to third-party applications to facilitate data integration. The attackers contacted employees, convincing them to connect an external app to Salesforce and provide a security code necessary for the connection. With this code, the hackers accessed the system and its data.
In Google's case, their Salesforce instance was compromised in June, but this information only came to light recently, with Google stating the leak pertained to mostly public business information. The breach lasted a brief period before access was revoked.
The culprits are identified as the group labeled UNC6040, initially responsible for these attacks. UNC6042, another group using the ShinyHunters brand, is known for extortion efforts and may heighten these by introducing a data leak site (DLS), putting further pressure on victims tied to the UNC6040 breaches.
With many organizations, including Google, falling victim and only disclosing the breach months later, the true scope of these incidents remains uncertain. Salesforce users are urged to audit their systems, activate multifactor authentication, and educate staff on identifying scams to mitigate risk.
