Human Risk Roundup: Salesforce social-engineering scam exposes cloud data 

In this issue of the Human Risk Roundup, we detail a recent Salesforce social engineering scam that is leading a wave of sophisticated attacks. Also, threat actors are using vishing and phishing techniques to exploit trust, and gain access to sensitive cloud data and interconnected systems. 

Salesforce social-engineering scam targets cloud data 

Researchers with Google Threat Intelligence Group (GTIG) are tracking UNC6040, a financially motivated threat cluster that GTIG says specializes in voice phishing (vishing) campaigns that aim to compromise Salesforce systems. UNC6040 operatives use threat actors who impersonate IT support and call victims. 

This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, facilitating the theft of organization’s Salesforce data. In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce, wrote Google Threat Intelligence Group (GTIG) in a post on the scam. 

What happened 

Attackers posed as IT support, called employees and convinced them to visit a phishing site mimicking a Salesforce setup page. Victims entered codes granting OAuth-based access, allowing attackers to infiltrate Salesforce environments and connected platforms like Microsoft 365 and Okta. Researchers say several Industries were targeted, including retail, education, and hospitality. 

Why it matters 

This campaign underscores how attackers exploit trust and human vulnerabilities to bypass defenses like multi-factor authentication. By targeting Salesforce, a crucial platform for enterprise operations, the breach affects not only primary systems but interconnected cloud environments, amplifying risks. 

Practical tips for security leaders 

Educate users on spotting and reporting social engineering attempts. 

Restrict app permissions by vetting third-party apps before approval. 

Review OAuth permissions to identify and remove unauthorized access. 

Enforce strong access controls with limited privileges and MFA. 

Read more about it in CyberScoop. 

Luna moth targets law firms  

Speaking of social engineering scams, the FBI is warning about Luna Moth, a cybercriminal group that is using phishing and social engineering tactics to target law firms. Luna Moth, also called Silent Ransom Group (SRG), Chatty Spider, Storm-0252, and UNC3753, has been around since 2022. They use a tactic called callback phishing or telephone-oriented attack delivery (TOAD) to fool victims into calling phone numbers that are included in phishing emails related to invoices and subscription payments.  

What happened 

During the call, victims are tricked into installing remote access software, giving the hackers system control. FBI officials say Luna Moth is impersonating IT staff and guiding employees into remote access sessions for data theft and extortion. 

Why it matters 

By targeting law firms, where confidential client data is critical, these campaigns pose severe risks to reputation, compliance, and overall operations. 

Practical tips for security leaders 

Train employees to recognize phishing emails and social engineering tactics. 

Verify IT requests by establishing authentication protocols for calls or emails. 

Monitor suspicious tools like Rclone, WinSCP, or uncommon remote access programs. 

Disable external remote access for non-essential systems. 

Regularly audit network traffic for unusual connections to external IPs. 

North Korean IT worker scam continues to evolve  

The sophisticated scheme involving North Korean operatives who pose as job seekers and apply for roles at tech firms using fake LinkedIn profiles and deepfake videos shows no sign of letting up. Hundreds of companies have now been targeted by the criminals, who siphon sensitive data and divert income to fund the North Korea’s weapons programs. 

What happened 

The scheme has been growing since at least 2022. According to a recent advisory released by the FBI, the threat actors are increasing their malicious activity to include data extortion. Previous alerts have noted that a single operative can earn up to $300,000 per year, contributing to a pipeline of tens of millions of dollars flowing to sanctioned entities. This month, the U.S. Department of Justice seized $7.74 million in cryptocurrency traced to North Korean IT workers who used fake identities to secure remote jobs and funnel money. 

Why it matters 

This is a prime example of insider risk driven by human manipulation. Trust in the hiring process is weaponized, as these operatives turned their positions into platforms for espionage and cyberattacks. 

Practical tips for security leaders 

Ensure hiring protocols include rigorous identity verification, incorporating document authenticity checks and live video interviews. 

Implement access restrictions for new hires to limit exposure to sensitive systems during onboarding. 

Monitor behavior patterns for anomalies like rerouted equipment deliveries or suspicious access requests. 

Lean on insider threat programs to identify unusual activity tied to employees in critical roles. 

Promote awareness with workforce education focusing on recognizing fraudulent recruitment tactics and insider risks. 

Read more from Mimecast Field CISO Beth Miller on this growing problem. 

Phishing scams hit government agencies 

Phishing was at the heart of several headline-making government incidents recently, highlighting how it continues to plague organizations. Recent incidents at the UK’s HM Revenue and Customs (HMRC), and state agencies in Texas and Illinois resulted in wide-spread damage. 

What happened 

The HMRC suffered a £47 million loss to an organized crime group that exploited phishing to gather identity data and manipulate the Pay-As-You-Earn (PAYE) tax system. Though no victims faced direct financial losses, 100,000 accounts were impacted, exposing how fraudsters leverage trust to exploit critical systems. 

In Texas, hackers breached an account in the Department of Transportation’s Crash Records Information System (CRIS), stealing nearly 300,000 crash reports. A state advisory notes that data included sensitive details like names, driver’s license numbers, and insurance policies, raising concerns about identity theft and fraud. 

In Illinois, cybercriminals used a phishing email to compromise an employee at the Department of Healthcare and Family Services. This led to the exposure of Social Security numbers, state IDs, and financial details tied to Medicaid and child support programs for nearly 1,000 individuals. 

Why it matters 

These attacks show just how easy it is for criminals to manipulate users into granting access to sensitive systems. The use of authentic credentials, paired with phishing tactics, bypasses many security defenses.  

Practical tips 

Provide employee training: Regularly educate teams on spotting and reporting phishing scams. 

Strengthen access controls: Implement robust MFA and limit account permissions. 

Monitor unusual activity: Enable real-time logging and flag anomalous behavior in connected systems. 

Read more about it in The Record. 

What to watch: Scattered Spider continues to weave its web 

Scattered Spider, the threat group thought to be responsible for the recent attack on UK retailer Marks & Spencer, is now targeting managed service providers and IT vendors in a campaign to infiltrate customers of those companies. A report from ReliaQuest notes the group is exploiting help-desk systems and targeting high-value credentials, particularly those of system administrators and executives. Using advanced social engineering tactics like phishing and vishing, the group manipulates human trust to gain initial access.  

Read more about it in Cybersecurity Dive.