Hackers abuse modified Salesforce app to steal data, extort companies, Google says

FILE PHOTO: The company logo for Salesforce.com is displayed on the Salesforce Tower in New York City, U.S., March 7, 2019. REUTERS/Brendan McDermid/File Photo
(Reuters) -Hackers are tricking employees at companiesin Europe and the Americasinto installing a modified version of a Salesforce-related app, allowing the hackers to steal reams of data, gain access to other corporate cloud services and extort those companies, Google said on Wednesday.
The hackers – tracked by the Google Threat Intelligence Group as UNC6040 – have 'proven particularly effective at tricking employees' into installing a modified version of Salesforce's Data Loader, a proprietary tool used to bulk import data into Salesforce environments, the researchers said.
The hackers use voice calls to trick employees into visiting a purported Salesforce connected app setup page to approve the unauthorized, modified version of the app, created by the hackers to emulate Data Loader.
If the employee installs the app, the hackers gain 'significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments,' the researchers said.
The access also frequently gives the hackers the ability to move throughout a customer's network, enabling attacks on other cloud services and internal corporate networks.
Technical infrastructure tied to the campaign shares characteristics with suspected ties to the broader and loosely organized ecosystem known as 'The Com,' known for small, disparate groups engaging in cybercriminal and sometimes violent activity, the researchers said.
A Google spokesperson did not share additional details about how many companies have been targeted as part of the campaign, which has been observed over the past several months.
A Salesforce spokesperson told Reuters in an email that 'there's no indication the issue described stems from any vulnerability inherent in our platform.' The spokesperson said the voice calls used to trick employees 'are targeted social engineering scams designed to exploit gaps in individual users' cybersecurity awareness and best practices.'
The spokesperson declined to share the specific number of affected customers, but said that Salesforce was "aware of only a small subset of affected customers," and said it was "not a widespread issue."
Salesforce warned customers of voice phishing, or "vishing," attacks and of hackers abusing malicious, modified versions of Data Loader in a March 2025 blog post.
(Reporting by AJ Vicens in Detroit; Editing by Leslie Adler)

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

The Star

38 minutes ago

• The Star

New Zealand's 'golden visa' scheme lures US investors

SYDNEY: New Zealand said on Monday (June 23) there has been a rush in applications for its new foreign investor migrant visa as the centre-right government looks to lure more high net-worth individuals to the country to stimulate economic growth. The government in April relaxed rules for the visa, including lowering the minimum required funds for the category that focuses on higher-risk investments to NZ$5 million (US$3 million) from NZ$15 million, and removing the English language requirement. "(There has been) a flood of formal interest in the new 'golden' visa," Immigration Minister Erica Stanford said. "New applications under the scheme represent a potential NZ$845 million ($503 million) of new investment in New Zealand business." In a statement, Stanford said the government had received 189 applications in less than three months for the Active Investor Plus visa, compared with 116 submissions over more than two-and-a-half years under the previous settings. Eighty-five of those applications, or just under half of the total, were submitted by US citizens, followed by China with 26 and Hong Kong with 24. New Zealand's economy grew faster-than-expected in the first quarter, official data showed last week, providing some relief for policymakers keen to put the economy back on a solid footing after it sank into technical recession last year. The two-quarter GDP decline was the worst since the sharp downturn of 1991, excluding the pandemic. - Reuters

The Star

an hour ago

• The Star

FBI warns of hidden 'malicious' threats lurking in widely used devices

The Federal Bureau of Investigation has issued a public service announcement alerting Americans to a growing cyber threat that may already be inside their homes – and it's a threat many people don't even realise. According to the FBI, cybercriminals are hijacking TV streaming sticks, digital projectors, digital picture frames and more to launch malicious online activity through an evolving botnet known as BADBOX 2.0. BADBOX was first discovered in 2023 and disrupted in 2024, but the new 2.0 version has resurfaced with more advanced techniques, according to the FBI. It continues to exploit Android-based devices, especially those not certified by Google Play Protect or promoted as 'unlocked' streaming tools capable of accessing free content, the bureau said. The botnet, which reportedly consists of millions of compromised devices, allows criminals to create proxy networks out of unsuspecting users' home connections, the FBI said. The networks can then be exploited or sold to other criminals, enabling illegal activity that appears to originate from an innocent home network, according to the FBI. Most of the infected devices were manufactured in China and are either preloaded with malware before purchase or compromised during setup through the download of unofficial apps, the FBI said. Once connected, the devices can silently become part of the BADBOX 2.0 botnet, giving criminals a hidden doorway into personal networks, the bureau added. The FBI advised users to evaluate all devices in their home, especially those from unfamiliar or off-brand manufacturers, and watch for signs such as unusual Internet traffic, requests to disable Google security settings, or the use of unofficial app stores. To reduce risk, experts recommended keeping firmware and operating systems up to date, avoiding unofficial app downloads, and monitoring home network activity regularly. Anyone who suspects they may have been affected is encouraged to report the incident to the FBI through the Internet Crime Complaint Center. – News Service

The Star

an hour ago

• The Star

South Korea's Lee says Middle East situation is "very urgent"

FILE PHOTO: South Korean President Lee Jae-myung speaks during a ceremony to mark the 70th Memorial Day at the Seoul National Cemetery in Seoul, South Korea, 06 June 2025. JEON HEON-KYUN/Pool via REUTERS/File Photo SEOUL (Reuters) -South Korean President Lee Jae Myung said on Monday that the situation in the Middle East was "very urgent" and financial markets were becoming unstable due to increasing uncertainty. Lee also called on his senior aides to prepare additional measures that could be incorporated into an extra budget already proposed if needed. Major share indexes slipped in Asia on Monday and oil prices briefly hit five-month highs as investors anxiously waited to see if Iran would retaliate against U.S. attacks on its nuclear sites, with resulting risks to global activity and inflation. "First of all, the situation in the Middle East is very urgent. I think that all ministries, including the presidential office, should prepare an emergency response system to promptly handle," Lee told his senior secretaries. The president expressed concern that rising oil prices could lead to higher inflation that would take a toll on people's livelihoods. Earlier on Monday, a vice industry minister flagged concerns over the potential impact on the country's trade from the recent U.S. strikes on Iran. South Korea is Asia's fourth-largest economy and depends heavily on exports. Seoul has deepened its reliance on crude oil imports from the Middle East, which accounted for 72% of the country's total crude imports in 2023. Market participants are bracing for further oil price hikes amid fears that an Iranian retaliation may include the closure of the Strait of Hormuz, through which roughly a fifth of global crude supply flows. Lee had decided not to attend a NATO summit this week due to what his office described as uncertainties caused by the Middle East situation. (Reporting by Ju-min Park and Jack Kim; Editing by Ed Davies)