Hackers Exploit Salesforce Data Loader in Sophisticated Vishing Attack

A financially motivated threat actor, known as UNC6040, has been orchestrating a sophisticated vishing (voice phishing) and extortion campaign targeting Salesforce users securityweek.com bleepingcomputer.com. The attackers impersonate IT support staff and call English-speaking employees at organizations spanning sectors like education, hospitality, and retail. During these calls, victims are instructed to approve a malicious version of Salesforce’s Data Loader connected app—granting attackers the ability to access and transfer sensitive data from their Salesforce environments securityweek.com darkreading.com.

After establishing this unauthorized access, UNC6040 doesn’t stop at data theft; they often wait for months before initiating extortion efforts, claiming affiliation with the notorious ShinyHunters hacking group to bolster their threats securityweek.com darkreading.com. The campaign also includes lateral movement—using the compromised Salesforce app to breach additional environments like Microsoft 365, Okta, and internal networks securityweek.com darkreading.com. Google’s Threat Intelligence Group has flagged this as a primarily social-engineering-driven attack, rather than exploiting software vulnerabilities securityweek.com darkreading.com.

Salesforce has previously warned about such threats and emphasizes the importance of customer responsibility in securing their accounts salesforce.comdarkreading.com. To combat vishing, they recommend implementing multi-factor authentication (MFA), applying stricter verification protocols for connected apps, and training employees to be wary of unsolicited IT calls. Experts caution that while Data Loader is a legitimate administrative tool, threat actors can weaponize it if given the chance—underscoring the urgent need for governance and robust user awareness in SaaS environments salesforce.com darkreading.com.

SOURCE: https://www.helpnetsecurity.com/2025/06/04/salesforce-vishing-attacks/