Fraud Management & Cybercrime,
Social Engineering
Hackers Masquerading as IT Support Target Organizations
Recent reports indicate that a hacking collective associated with attacks on British retailers is now targeting cloud service providers through voice phishing scams aimed at data theft. Industries affected include hospitality, retail, and education in both Europe and North America.
A group known as “The Community,” or “The Com,” has exploited Salesforce’s Data Loader tool to access corporate data and navigate laterally within organizations. This activity, tracked by Google as UNC6040, has impacted around twenty organizations across various sectors.
During these attacks, hackers impersonate IT support staff in phone-based vishing schemes, misleading employees into downloading malicious versions of Salesforce’s Data Loader app. This process allows attackers to gain extensive access to exfiltrate sensitive data directly from Salesforce environments, enabling further assaults on platforms like Okta, Microsoft 365, and Workplace.
Interestingly, some victims reported extortion demands occurring months post-intrusion, suggesting a possible alliance between UNC6040 and other cybercriminal entities that monetize hacked information. Google has noted a shared infrastructure among several attacks, indicating connections to groups previously associated with “The Com.”
The attack methodology begins with attackers contacting Salesforce employees by phone, instructing them to download a harmful version of the Data Loader. By entering a “connection code,” victims inadvertently grant attackers significant capabilities to access and exfiltrate sensitive information from the compromised Salesforce environments.
After stealing user credentials, the attackers can move laterally within these compromised networks to extract sensitive information from Okta and Microsoft 365 accounts. Google Mandiant has also uncovered infrastructure utilized for Okta phishing by this group.
In the final phase of these attacks, hackers exfiltrate data to extort victims primarily from the hospitality, retail, and education sectors across Europe and the United States. A Salesforce representative indicated that these attacks exploit gaps in individual cybersecurity awareness rather than vulnerabilities in their systems.
Scattered Spider, primarily composed of English-speaking adolescent hackers from the U.S. and U.K., is among those suspected to be involved in this campaign. This group has previously been implicated in disruptions to British retail outlets including Marks and Spencer and Harrods.
At a conference in London, British cyber officials noted the rise of English-speaking groups like UNC6040 and Scattered Spider, which have gained prominence amid crackdowns on ransomware gangs, leading to fragmentation within Russian-speaking cybercrime organizations. Such shifts have resulted in a notable increase in attacks by English language-based threat actors, though their tactics may be less sophisticated, they remain highly effective.
Utilizing the MITRE ATT&CK framework, techniques such as initial access through social engineering, persistence via user deception, and privilege escalation can potentially be identified in these ongoing cyber threats. Business owners must remain vigilant and implement robust cybersecurity practices to protect against such evolving attacks.
