Google falls victim to phishing attack it discovered

In a financially motivated cyberattack, an elite threat actor group has compromised the Salesforce accounts of multiple high-profile companies, including Google, by using a simple but effective social engineering technique: impersonating IT staff and tricking employees into granting them access to their Salesforce accounts.

The attackers use a feature that allows a third-party app to be connected to a user's Salesforce account. Posing as IT support, they contact employees and persuade them to link to an external application. During this process, they request an eight-digit security code, which they then use to gain full access to the account and its data. Companies such as Adidas, Qantas, Allianz Life, and Cisco have been affected, along with luxury brands including Louis Vuitton and Tiffany & Co.

Google, which initially exposed the campaign, has now disclosed that its own Salesforce instance was compromised in June, with attackers retrieving business data that was "largely public." The company has linked the initial intrusions to a group named UNC6040, with a second group, UNC6042, branded as ShinyHunters, engaging in extortion activities. Google warns that ShinyHunters may be preparing to escalate their tactics by launching a data leak site. All Salesforce customers are being advised to audit their Salesforce accounts, implement multi-factor authentication and provide robust information security training to staff concerning how to detect and avoid social engineering (phishing) attacks.