Google Exposes Vishing Group UNC6040 Targeting Salesforce with Fake Data Loader App

Google’s Threat Intelligence Group (GTIG) is tracking a vishing group, UNC6040, that targets Salesforce instances for data theft and extortion. The group impersonates IT support personnel to trick employees into authorizing a modified version of Salesforce’s Data Loader, granting unauthorized access to customer environments. This access allows data exfiltration and potential lateral movement to other platforms like Okta, Workplace, and Microsoft 365.