The Cost of a Call: From Voice Phishing to Data Extortion

Update (August 5)
Google confirmed that one of its corporate Salesforce instances was briefly compromised in June by threat actor UNC6040, who specialize in voice-phishing campaigns. The attackers retrieved limited business contact data before Google cut off access.

Following these intrusions, a related group dubbed UNC6240 has launched extortion campaigns, sending emails and calls demanding bitcoin payments within 72 hours—often under the name ShinyHunters. Analysts believe the actors may escalate by launching a data leak site (DLS) to pressure victims further.

Google’s Threat Intelligence Group notes that UNC6040 has evolved from abusing Salesforce’s Data Loader app to deploying custom Python applications, registered through compromised accounts, and masked via VPN or TOR connections. Their operations rely heavily on social engineering rather than exploiting Salesforce itself.

Google continues to monitor the situation and has published indicators of compromise (IOCs) to help organizations defend against these campaigns.

unc is famous 💔

unc is a funny ass name

damn seems intriguing