Google Falls Prey to the Scam It Uncovered

In a surprising turn of events, Google, the tech giant known for its security prowess, found itself ensnared in the very scam it had recently brought to light. Earlier this year, in June, Google uncovered a widespread phishing attack targeting Salesforce account holders. The attackers impersonated IT department personnel, claiming to require immediate access due to supposed issues. However, just two months later, it was revealed that Google itself had fallen victim to the same malicious campaign.

The perpetrators of these breaches are financially-driven threat actors intent on stealing data to later extort sky-high ransoms from their targets. They bypass traditional methods of exploiting software vulnerabilities in favor of a more direct approach: simply asking for access over the phone. Companies like Adidas, Qantas, Allianz Life, Cisco, and luxury brands under LVMH, such as Louis Vuitton, Dior, and Tiffany & Co., have already reported breaches of their Salesforce data.

A Shift in Tactics

The attackers exploit a Salesforce feature that permits customers to connect their accounts to external applications for integrating data into internal systems. They reach out to employees, instructing them to connect an external app. As the unsuspecting employees comply, they are asked to provide an eight-digit security code necessary for such integration. The attackers then seize this opportunity to access the Salesforce instance.

Google admitted that its own Salesforce instance was compromised during this time. Although the breach occurred in June, the announcement came only recently, hinting that Google was only made aware of the invasion then. Fortunately, the stolen data was limited mostly to business names and contact information, which was already largely public.

Initially, Google traced the breaches to a group known as UNC6040. It later identified a secondary group, UNC6042, labeled ShinyHunters, suspected of executing extortion attempts months after the initial breaches. Google's report suggests these attackers may escalate their strategies by introducing a data leak site to intensify pressure on those affected.

With large corporations, including Google, taking months to disclose such vulnerabilities, it stands to reason that several more companies remain unaware of their own compromised data. As a proactive measure, Salesforce users are advised to thoroughly audit third-party access to their systems and bolster defenses with multifactor authentication protocols. Employee training on recognizing phishing attempts is also crucial to safeguarding against future attacks.