Never Answer These Calls On Your Smartphone, Google Warns
Beware the UNC6040 smartphone threat.
Google’s Threat Intelligence Group has issued a new warning about a dangerous cyberattack group known only as UNC6040, which is succeeding in stealing data, including your credentials, by getting victims to answer a call on their smartphone. There are no vulnerabilities to exploit, unless you include yourself: these attackers “abuse end-user trust,” a Google spokesperson said, adding that the UNC6040 campaign “began months ago and remains active.” Here’s what you need to know and do. TL;DR: Don’t answer that call, and if you do, don’t act upon it.
Google’s Threat Intelligence Group Issues UNC6040 Smartphone Attack Warning
If you still need me to warn you about the growing threat from AI-powered cyberattacks, particularly those involving calls to your smartphone — regardless of whether it’s an Android or iPhone — then you really haven’t been paying attention. It’s this lack of attention, on the broadest global cross-industry scale, that has left attackers emboldened and allowed the “vishing” threat to evolve and become ever-increasingly more dangerous.
If you won’t listen to me, perhaps you’ll take notice of the cybersecurity and hacking experts who form the Google Threat Intelligence Group. A June 4 posting by GTIG, which has a motto of providing visibility and context on the threats that matter most, has detailed how it’s been tracking a threat group known only as UNC6040. This group is financially motivated and very dangerous indeed. “UNC6040’s operators impersonate IT support via phone,” the GTIG report stated, “tricking employees into installing modified (not authorized by Salesforce) Salesforce connected apps, often Data Loader variants.” The payload? Access to sensitive data and onward lateral movement to other cloud services beyond the original intrusion for the UNC67040 hackers.
Google’s threat intelligence analysts have designated UNC6040 as opportunistic attackers, and the broad spectrum of that opportunity has been seen across hospitality, retail and education in the U.S. and Europe. One thought is that the original attackers are working in conjunction with a second group that acts to monetize the infiltrated networks and stolen data, as the extortion itself often doesn’t start for some months following the initial intrusion itself.
To mitigate the UNC6040 attack risk, GITG said that organisations should consider the following steps:
- Adhere to the Principle of Least Privilege.
- Manage access to connected applications rigorously.
- Enforce IP-based access restrictions.
- Leverage advanced security monitoring and policy enforcement with Salesforce Shield.
- Enforce multi-factor authentication everywhere.
And, of course, as Google has advised in previous scam warnings, don’t answer those phone calls from unknown sources. If you do, and it’s someone claiming to be an IT support person, hang up and use the established methods within your organization to contact them for verification.