Fraud Management & Cybercrime
,
Social Engineering
Hackers Impersonate IT Support Staff
A hacking collective linked to recent British retailer attacks is targeting cloud companies through or voice phishing scams for data theft from European hospitality, retail and education sectors.
A community of juvenile hackers that calls itself “The Community,” aka the Com, is exploiting Salesforce’s Data Loader tool to gain access to corporate data and move laterally across organizations, Google researchers said Wednesday. The campaign, which Google attributes to activity it tracks as UNC6040, targets sectors like hospitality, retail and education across the Americas and Europe, with about 20 organizations affected so far.
See Also: Live Webinar | AI-Powered Defense Against AI-Driven Threats
Hackers impersonate IT support staff in phone-based vishing attacks, tricking employees into installing malicious versions of Salesforce’s Data Loader connected app. This grants attackers broad access to exfiltrate sensitive data directly from Salesforce environments and later target other platforms such as Okta, Microsoft 365 and Workplace.
Some victims weren’t with extortion demands until months after an initial intrusion, hinting at possible partnerships between UNC6040 and other cybercriminal groups that monetize stolen information. Google said it observed common infrastructure across various intrusions that share characteristics “with elements previously linked to UNC6040 and threat groups suspected of ties to the broader, loosely organized collective known as ‘The Com'”.
The hacks began with the attackers contacting Salesforce employees on the telephone and guiding the victims to download a malicious version of Salesforce Data Loader. Through vishing the attackers prompt the victims to enter a “connection code” of the app, which permits direct integration to the Salesforce client environment.
“This step inadvertently grants UNC6040 significant capabilities to access, query and exfiltrate sensitive information directly from the compromised Salesforce customer environments,” Google said.
The attackers proceed to steal end-user credentials to move laterally within the compromised environment and access sensitive data from the target’s Okta and Microsoft 365 environments. Additionally, Google Mandiant uncovered a similar Okta phishing infrastructure used by the group.
In the final stage of the attack, the hackers exfiltrate data to extort their victims, which mainly included hospitality, retail, education and other sectors across Europe and the United States, Google said.
A Salesforce spokesperson said the attacks are “scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices” and that there are no indications of exploitation of vulnerabilities in their systems.
Scattered Spider, a hacking group largely consisting of English-speaking adolescent hackers from the U.S. and the U.K. is suspected to be part of this campaign. The group is allegedly behind the May compromise of British retail outlets Marks and Spencer, Harrods and Co-op that caused service and supply disruptions (see: Retail Sector in Scattered Spider Crosshairs).
At a London conference on Tuesday, British cyber officials said English-speaking groups such as UNC6040 and Scattered Spider gained prominence following enforcement actions against ransomware and other hacking groups that led to fragmentation and distrust among Russian-speaking cybercrime groups.
“What we’re seeing now in the U.K. is that there are a lot more English language-based threat actors coming forward now, whereas before it was very hostile state coming through,” said Jeremy Banks of the British National Police Chiefs Council’s Cyber Crime Team.
These groups are primarily from the U.S., U.K. or Australia. While their tactics are less sophisticated, their attacks are “highly effective,” Banks said.
