June 6, 2025 • 12 mins
Cybersecurity Today, hosted by Jim Love, delves into the latest in cyber threats. Cyber criminals have breached 20 organizations via convincing fake IT support calls, targeting Salesforce data for extortion. Ukraine's intelligence claims a significant cyber operation against Russia's aircraft manufacturer, stealing sensitive data and highlighting Ukraine's growing cyber capabilities. Google Chrome will stop trusting certificates from two major authorities due to compliance failures, affecting millions of web visitors. Lastly, a $400 million hack on Coinbase was executed using phone cameras, reminding us of the potency of simple attacks.
00:00 Introduction and Headlines
00:23 Fake IT Support Scam Hits 20 Companies
03:52 Ukraine's Cyber Operation Against Russia
07:05 Google Chrome Stops Trusting Two Certificate Authorities
09:11 $400 Million Hack from a Phone Camera
11:24 Conclusion and Contact Information
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Fake it.
Support calls scam hits 20 companies.
Ukraine destroys bombers, thenbreaches the bomber manufacturer Chrome
stops recognizing two certificateauthorities over trust failures.
and when old school beats high tech.
The $400 million hack from a phone camera.
This is cybersecurity today.
(00:21):
I'm your host, Jim Love
Cyber criminals are using convincingfake IT support calls to have
successfully breached approximately20 organizations across hospitality,
retail, and education sectors, stealingsensitive Salesforce data that they
later use for extortion demands.
(00:42):
Google's threat intelligence groupyesterday revealed details of the
ongoing campaigns by a financiallymotivated group dubbed UNC 60 40, which
specializes in voice phishing attacks,specifically targeting Salesforce
environments for large scale data theft.
The scammer's approach is deceptivelysimple, yet highly effective criminals
(01:05):
call employees at English speakingBranches of multinational corporations
impersonating IT support personnelwith convincing technical knowledge.
During these calls, they guidevictims to Salesforce's legitimate
connected apps setup page and providean eight digit connection code.
This seemingly harmless actionconnects a malicious version of
(01:28):
Salesforce's data loader applicationto the victim's environment.
The fake app, which appears legitimatewith modified branding grants, attackers
immediate access to query and stealsensitive customer and business data
directly from Salesforce accounts
After establishing their foothold, UNC60 40 doesn't stop at Salesforce data
(01:51):
The group uses harvested credentialsto move laterally through victim
networks, accessing additional platforms,including Okta, Microsoft 365, and
workplace to maximize their data theft.
The attackers also trick victimsinto visiting fraudulent sites
from their mobile devices duringsocial engineering calls to capture
additional authentication credentials.
(02:14):
What makes this campaignparticularly concerning is the
timing of these extortion demands.
Google reports that in some cases,criminals wait several months after
the initial breach, before demandingransom payments, suggesting UNC6040.
May be partnering with separate groupsthat specialize in monetizing stolen
data During extortion attempts, theattackers claim affiliation with the
(02:39):
notorious shiny hunters hacking grouplikely to increase pressure on victims.
Google's analysis reveals that UNC6040shares characteristics with the COM, a
loosely organized cyber crime collectivethat includes groups like Scattered
Spider, However researchers emphasizeUNC 60 40 operates as a distinct
(03:00):
entity despite tactical similarities,including voice phishing expertise, and
targeting of English speaking employees.
This campaign represents an evolution insocial engineering attacks where technical
security controls prove insufficientagainst sophisticated human manipulation.
Salesforce responded that the attacksexploit user awareness gaps rather
(03:24):
than platform vulnerabilities.
The company stated Salesforce hasenterprise grade security built into
every part of our platform, and there's noindication that the issue stems from any
vulnerability inherent in our services.
the incidents highlight how evensecurity conscious organizations remain
vulnerable to well-executed socialengineering campaigns that exploit
(03:47):
the human element of cybersecurity.
Ukraine's military intelligence agencyclaims to have executed a comprehensive
cyber operation against Russia's aircraftmanufacturer, stealing over 4.4 gigabytes
of classified data, including personnelfiles, internal communications, and
(04:10):
strategic bomber maintenance records.
The main intelligence directorate.
allegedly accessed internal systemsfor an extended period monitoring
document flows in real time beforeexecuting the data extraction.
The breach exposed, detailed informationabout engineers and staff responsible
(04:30):
for maintaining Russia's strategicbomber fleet, including the TU 95 and
the TU 60 aircraft used to launch cruisemissile attacks on Ukrainian cities.
the significance of the dataobtained cannot be overestimated.
A her source toldUkrainian media yesterday.
Now in fact, there is nothingsecret left in Tupelo's activities
(04:52):
for Ukrainian intelligence.
The stolen data includes officialcorrespondence, home addresses,
resumes, purchase records,and closed meeting minutes.
Intelligence that could enablefuture targeted operations against
specific personnel or facilities.
Within Russia's defenseindustrial complex,
(05:12):
The Ukrainian operatives marked theirbreach by replacing Tupelo's website
homepage with an image of an owlclutching a Russian aircraft, referencing
hers insignia while demonstratingtheir ability to penetrate and
control enemy digital infrastructure.
The website now redirects to the UnitedAircraft Corporation's main portal.
(05:35):
This represents the latest evolutionin Ukraine's cyber capabilities, which
have increasingly targeted criticalsurveillance and defense infrastructure.
. Recent operations suggest Ukrainianintelligence agencies can compromise not
only data systems, but also surveillancenetworks with speculation that they
accessed Russian security cameras duringthe recent Crimean Bridge attack based
(05:57):
on stable footage showing explosions,but no camera movement or vibrations.
The Tupolev Breach providescomprehensive intelligence about
Russia's strategic aviation capabilitiesat a time when Ukraine is conducting
coordinated cyber physical operations.
The timing just days after operationspiderwebs drone attacks on Russian
(06:20):
air bases suggests a systematiccampaign combining kinetic strikes
with intelligence gathering.
Tupolev under international sanctionssince 2022, produces the strategic bombers
that have been central to Russia's missilecampaign against Ukrainian infrastructure.
The cyber operations potentiallyexpose the entire personnel structure
(06:42):
supporting these critical military assets,
The combination of physical destructionand digital intelligence gathering
represents a new model of asymmetricwarfare, where cyber operations
provide the knowledge necessaryfor sustained pressure against
strategic targets while mapping enemycapabilities for future operations.
(07:05):
Google Chrome will stop trusting digitalcertificates from two major certificate
authorities, Taiwan's Chung Telecomand Hungary's Net Lock starting August
1st, citing patterns of concerningbehavior and compliance failures.
Beginning with Chrome 1 39 websites,using certificates issued by these
authorities after July 31st willtrigger security warnings, telling
(07:30):
users your connection is not private.
While users can still access thesesites by clicking through the
warnings, the broken trust willdisrupt millions of web visitors
The broken trust will disruptmillions of web visitors.
Chrome controls over 66% of theglobal browser market, making this
(07:51):
decision effectively a death sentencefor these certificate authorities.
Even though other browsers like Edgeand Safari will still trust them, Google
cited patterns of compliance, failures,unmet improvement commitments, and the
absence of tangible, measurable progress.
Over the past year, both authoritiesfailed to meet industry security
(08:12):
standards and didn't deliver onpromises to fix their practices.
This follows a similar actionagainst entrust in November, 2024
when Google stopped trusting newcertificates from that authority.
After years of compliance issues,Google is tightening standards
across the certificate industry.
Certificate authorities serve asthe Internet's trust gatekeepers,
(08:32):
verifying websites identities, andenabling the H-T-T-P-S encryption
that powers secure web connections.
When a major browser loses confidencein a certificate authority, it
exposes fundamental problems inhow internet security is managed.
The move demonstrates Google'sgrowing willingness to use Chrome's
market dominance to enforcesecurity standards effectively.
(08:56):
Deciding which certificate authoritiescan participate in the global web
infrastructure website operatorsusing effective certificates should
switch to a trusted authorityimmediately to avoid user disruption.
And finally, here's your reminderthat the simplest attacks
are often the most powerful.
(09:17):
Coinbase, one of the world's mostsophisticated cryptocurrency exchanges
just got taken for up to $400 million,not because some technical genius cracked
their encryption, but due to someonetaking photos with their phone while.
security experts spend millions onadvanced firewalls, encryption, and
(09:38):
zero trust networks, hackers simplybribed employees of a firm that
Coinbase outsourced to in India.
All the person had to do was point herpersonal smartphone at her computer
screen and snap pictures of customer data.
No sophisticated malware, no nation statecyber weapons, no AI powered attacks,
(10:00):
just a camera where it shouldn't be,and some cash to pay them to do it.
the employee I'm talkingabout was caught red-handed.
Photographing sensitive customerinformation, including names, addresses,
social security numbers, and bank details.
She and an accomplice had been feedingthis data to hackers for months
before getting busted in January.
(10:23):
The really embarrassing part, thereare reports that Coinbase knew about
this phone camera spy operationback in January, but only disclosed
it publicly in May, and only thenbecause the hackers sent them a
$20 million Bitcoin ransom demand,threatening to leak everything online.
In fairness to the company, they didthe right thing by not paying the
(10:45):
ransom, but they went an extra step andoffered the $20 million as a reward to
anyone who could find these criminals.
more than 200 task US employees losttheir jobs in the aftermath, and
nearly 70,000 Coinbase customershad their personal data compromised,
all because someone remembered thatsometimes the best way to steal digital
(11:08):
secrets is with an analog approach.
It is a perfect reminder.
You can build the most secure digitalfortress in the world, but if someone
can walk up to your screen with a camera,all that technology doesn't matter.
Sometimes the old ways work just fine.
And that's our show for today.
Love to hear what you think.
You can reach me ateditorial@technewsday.ca or on LinkedIn
(11:32):
or if you're watching this on YouTube,just drop a note under the video.
Tomorrow's show brings back ourmonth in review panel for a look
at top stories for the month.
Hope you can join us and if you'reenjoying this content, we'd love
it if you recommend us to a friend.
And If you can help us out financiallywith a small donation at buy me
a coffee.com/tech podcast, that'sbuy me a coffee.com/tech podcast.
(11:59):
We do accept corporate sponsors,but we're really picky about them
and we want to continue to do that
.With your financial support, buy me a coffee.com/tech podcast.
I'm your host, Jim Love.
Thanks for listening.
Fake it.
Support calls scam hits 20 companies.
Ukraine destroys bombers, thenbreaches the bomber manufacturer Chrome
stops recognizing two certificateauthorities over trust failures.
and when old school beats high tech.
The $400 million hack from a phone camera.
This is cybersecurity today.
(00:21):
I'm your host, Jim Love
Cyber criminals are using convincingfake IT support calls to have
successfully breached approximately20 organizations across hospitality,
retail, and education sectors, stealingsensitive Salesforce data that they
later use for extortion demands.
(00:42):
Google's threat intelligence groupyesterday revealed details of the
ongoing campaigns by a financiallymotivated group dubbed UNC 60 40, which
specializes in voice phishing attacks,specifically targeting Salesforce
environments for large scale data theft.
The scammer's approach is deceptivelysimple, yet highly effective criminals
(01:05):
call employees at English speakingBranches of multinational corporations
impersonating IT support personnelwith convincing technical knowledge.
During these calls, they guidevictims to Salesforce's legitimate
connected apps setup page and providean eight digit connection code.
This seemingly harmless actionconnects a malicious version of
(01:28):
Salesforce's data loader applicationto the victim's environment.
The fake app, which appears legitimatewith modified branding grants, attackers
immediate access to query and stealsensitive customer and business data
directly from Salesforce accounts
After establishing their foothold, UNC60 40 doesn't stop at Salesforce data
(01:51):
The group uses harvested credentialsto move laterally through victim
networks, accessing additional platforms,including Okta, Microsoft 365, and
workplace to maximize their data theft.
The attackers also trick victimsinto visiting fraudulent sites
from their mobile devices duringsocial engineering calls to capture
additional authentication credentials.
(02:14):
What makes this campaignparticularly concerning is the
timing of these extortion demands.
Google reports that in some cases,criminals wait several months after
the initial breach, before demandingransom payments, suggesting UNC6040.
May be partnering with separate groupsthat specialize in monetizing stolen
data During extortion attempts, theattackers claim affiliation with the
(02:39):
notorious shiny hunters hacking grouplikely to increase pressure on victims.
Google's analysis reveals that UNC6040shares characteristics with the COM, a
loosely organized cyber crime collectivethat includes groups like Scattered
Spider, However researchers emphasizeUNC 60 40 operates as a distinct
(03:00):
entity despite tactical similarities,including voice phishing expertise, and
targeting of English speaking employees.
This campaign represents an evolution insocial engineering attacks where technical
security controls prove insufficientagainst sophisticated human manipulation.
Salesforce responded that the attacksexploit user awareness gaps rather
(03:24):
than platform vulnerabilities.
The company stated Salesforce hasenterprise grade security built into
every part of our platform, and there's noindication that the issue stems from any
vulnerability inherent in our services.
the incidents highlight how evensecurity conscious organizations remain
vulnerable to well-executed socialengineering campaigns that exploit
(03:47):
the human element of cybersecurity.
Ukraine's military intelligence agencyclaims to have executed a comprehensive
cyber operation against Russia's aircraftmanufacturer, stealing over 4.4 gigabytes
of classified data, including personnelfiles, internal communications, and
(04:10):
strategic bomber maintenance records.
The main intelligence directorate.
allegedly accessed internal systemsfor an extended period monitoring
document flows in real time beforeexecuting the data extraction.
The breach exposed, detailed informationabout engineers and staff responsible
(04:30):
for maintaining Russia's strategicbomber fleet, including the TU 95 and
the TU 60 aircraft used to launch cruisemissile attacks on Ukrainian cities.
the significance of the dataobtained cannot be overestimated.
A her source toldUkrainian media yesterday.
Now in fact, there is nothingsecret left in Tupelo's activities
(04:52):
for Ukrainian intelligence.
The stolen data includes officialcorrespondence, home addresses,
resumes, purchase records,and closed meeting minutes.
Intelligence that could enablefuture targeted operations against
specific personnel or facilities.
Within Russia's defenseindustrial complex,
(05:12):
The Ukrainian operatives marked theirbreach by replacing Tupelo's website
homepage with an image of an owlclutching a Russian aircraft, referencing
hers insignia while demonstratingtheir ability to penetrate and
control enemy digital infrastructure.
The website now redirects to the UnitedAircraft Corporation's main portal.
(05:35):
This represents the latest evolutionin Ukraine's cyber capabilities, which
have increasingly targeted criticalsurveillance and defense infrastructure.
. Recent operations suggest Ukrainianintelligence agencies can compromise not
only data systems, but also surveillancenetworks with speculation that they
accessed Russian security cameras duringthe recent Crimean Bridge attack based
(05:57):
on stable footage showing explosions,but no camera movement or vibrations.
The Tupolev Breach providescomprehensive intelligence about
Russia's strategic aviation capabilitiesat a time when Ukraine is conducting
coordinated cyber physical operations.
The timing just days after operationspiderwebs drone attacks on Russian
(06:20):
air bases suggests a systematiccampaign combining kinetic strikes
with intelligence gathering.
Tupolev under international sanctionssince 2022, produces the strategic bombers
that have been central to Russia's missilecampaign against Ukrainian infrastructure.
The cyber operations potentiallyexpose the entire personnel structure
(06:42):
supporting these critical military assets,
The combination of physical destructionand digital intelligence gathering
represents a new model of asymmetricwarfare, where cyber operations
provide the knowledge necessaryfor sustained pressure against
strategic targets while mapping enemycapabilities for future operations.
(07:05):
Google Chrome will stop trusting digitalcertificates from two major certificate
authorities, Taiwan's Chung Telecomand Hungary's Net Lock starting August
1st, citing patterns of concerningbehavior and compliance failures.
Beginning with Chrome 1 39 websites,using certificates issued by these
authorities after July 31st willtrigger security warnings, telling
(07:30):
users your connection is not private.
While users can still access thesesites by clicking through the
warnings, the broken trust willdisrupt millions of web visitors
The broken trust will disruptmillions of web visitors.
Chrome controls over 66% of theglobal browser market, making this
(07:51):
decision effectively a death sentencefor these certificate authorities.
Even though other browsers like Edgeand Safari will still trust them, Google
cited patterns of compliance, failures,unmet improvement commitments, and the
absence of tangible, measurable progress.
Over the past year, both authoritiesfailed to meet industry security
(08:12):
standards and didn't deliver onpromises to fix their practices.
This follows a similar actionagainst entrust in November, 2024
when Google stopped trusting newcertificates from that authority.
After years of compliance issues,Google is tightening standards
across the certificate industry.
Certificate authorities serve asthe Internet's trust gatekeepers,
(08:32):
verifying websites identities, andenabling the H-T-T-P-S encryption
that powers secure web connections.
When a major browser loses confidencein a certificate authority, it
exposes fundamental problems inhow internet security is managed.
The move demonstrates Google'sgrowing willingness to use Chrome's
market dominance to enforcesecurity standards effectively.
(08:56):
Deciding which certificate authoritiescan participate in the global web
infrastructure website operatorsusing effective certificates should
switch to a trusted authorityimmediately to avoid user disruption.
And finally, here's your reminderthat the simplest attacks
are often the most powerful.
(09:17):
Coinbase, one of the world's mostsophisticated cryptocurrency exchanges
just got taken for up to $400 million,not because some technical genius cracked
their encryption, but due to someonetaking photos with their phone while.
security experts spend millions onadvanced firewalls, encryption, and
(09:38):
zero trust networks, hackers simplybribed employees of a firm that
Coinbase outsourced to in India.
All the person had to do was point herpersonal smartphone at her computer
screen and snap pictures of customer data.
No sophisticated malware, no nation statecyber weapons, no AI powered attacks,
(10:00):
just a camera where it shouldn't be,and some cash to pay them to do it.
the employee I'm talkingabout was caught red-handed.
Photographing sensitive customerinformation, including names, addresses,
social security numbers, and bank details.
She and an accomplice had been feedingthis data to hackers for months
before getting busted in January.
(10:23):
The really embarrassing part, thereare reports that Coinbase knew about
this phone camera spy operationback in January, but only disclosed
it publicly in May, and only thenbecause the hackers sent them a
$20 million Bitcoin ransom demand,threatening to leak everything online.
In fairness to the company, they didthe right thing by not paying the
(10:45):
ransom, but they went an extra step andoffered the $20 million as a reward to
anyone who could find these criminals.
more than 200 task US employees losttheir jobs in the aftermath, and
nearly 70,000 Coinbase customershad their personal data compromised,
all because someone remembered thatsometimes the best way to steal digital
(11:08):
secrets is with an analog approach.
It is a perfect reminder.
You can build the most secure digitalfortress in the world, but if someone
can walk up to your screen with a camera,all that technology doesn't matter.
Sometimes the old ways work just fine.
And that's our show for today.
Love to hear what you think.
You can reach me ateditorial@technewsday.ca or on LinkedIn
(11:32):
or if you're watching this on YouTube,just drop a note under the video.
Tomorrow's show brings back ourmonth in review panel for a look
at top stories for the month.
Hope you can join us and if you'reenjoying this content, we'd love
it if you recommend us to a friend.
And If you can help us out financiallywith a small donation at buy me
a coffee.com/tech podcast, that'sbuy me a coffee.com/tech podcast.
(11:59):
We do accept corporate sponsors,but we're really picky about them
and we want to continue to do that
.With your financial support, buy me a coffee.com/tech podcast.
I'm your host, Jim Love.
Thanks for listening.
Popular Podcasts
True Crime Tonight
If you eat, sleep, and breathe true crime, TRUE CRIME TONIGHT is serving up your nightly fix. Five nights a week, KT STUDIOS & iHEART RADIO invite listeners to pull up a seat for an unfiltered look at the biggest cases making headlines, celebrity scandals, and the trials everyone is watching. With a mix of expert analysis, hot takes, and listener call-ins, TRUE CRIME TONIGHT goes beyond the headlines to uncover the twists, turns, and unanswered questions that keep us all obsessed—because, at TRUE CRIME TONIGHT, there’s a seat for everyone. Whether breaking down crime scene forensics, scrutinizing serial killers, or debating the most binge-worthy true crime docs, True Crime Tonight is the fresh, fast-paced, and slightly addictive home for true crime lovers.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
The Clay Travis and Buck Sexton Show
The Clay Travis and Buck Sexton Show. Clay Travis and Buck Sexton tackle the biggest stories in news, politics and current events with intelligence and humor. From the border crisis, to the madness of cancel culture and far-left missteps, Clay and Buck guide listeners through the latest headlines and hot topics with fun and entertaining conversations and opinions.