voice phishing attacks in corporate environments

A series of data breaches affecting major companies like Qantas, Adidas, Allianz Life, and LVMH has been linked to the cyber extortion group ShinyHunters. The attackers employed voice phishing techniques to gain access to Salesforce CRM systems by manipulating employees into connecting malicious applications.

voice phishing attacks in corporate environmentsvoice phishing attacks in corporate environments

According to Google’s Threat Intelligence Group (GTIG), the attackers, identified as UNC6040, impersonated internal IT support during phone calls, convincing victims to visit Salesforce’s app setup page and enter a “connection code” that granted access to a disguised version of the Data Loader app, sometimes rebranded as “My Ticket Portal.” They also used phishing pages mimicking Okta login interfaces to steal credentials and multi-factor authentication (MFA) tokens.

voice phishing attacks in corporate environmentsvoice phishing attacks in corporate environments

LVMH subsidiaries, including Louis Vuitton and Tiffany & Co., reported unauthorized access through a vendor managing customer data. Allianz Life acknowledged a breach involving a third-party CRM platform, while Qantas had data accessed via its Salesforce instance, although it has not confirmed this publicly.