Google Uncovers Vishing Ring Targeting Salesforce Data

Google has revealed a financially motivated threat group, dubbed UNC6040, that is targeting organizations using Salesforce through voice phishing, or “vishing,” schemes. According to the company’s threat intelligence team, the group employs deceptive techniques to trick victims into downloading a counterfeit version of a legitimate Salesforce tool called Data Loader. The fraudulent application is designed to compromise Salesforce instances, enabling attackers to exfiltrate sensitive data at scale.

The stolen information is then used to pressure victims into paying extortion demands, Google said. UNC6040’s operations reflect a growing trend in cybercrime where social engineering tactics are increasingly leveraged to bypass technical safeguards. The group’s campaigns are highly tailored, suggesting a level of sophistication and intent to maximize financial gain.

Google’s disclosure underscores the evolving threat landscape facing enterprise cloud platforms, particularly those managing customer data. The company continues to monitor UNC6040’s activities to inform potential mitigation strategies and help organizations defend against similar intrusions.