Hackers use grape phishing to violate Salesforce customer and sliding data

The tool supports OAuth and can be directly integrated into a “connected application” in Salesforce. According to GTIG, attackers often convince victims on the phone to open the connected app settings page and enter the connection code, effectively connecting the version of the rogue, attacker-controlled data loader to the victim’s Salesforce environment.

The ability to use modified versions of the data loader was found consistent with Salesforce’s recent guidance on such abuse. In this case, GTIG researchers found that capabilities and technology are different from another invasive capability and technology.

“In one example, the threatening actor used small chunks of size to remove data from Salesforce, but could only retrieve about 10% of the data before detection and access revocation,” the researchers said. “In another case, many test queries were initially performed with small chunks of size. Once enough information was collected, the actors quickly increased penetration to extract the entire table.”