- Hackers target Zendesk users with misspelled domains to steal their credentials
- ReliaQuest found more than 40 fake domains linked to Salesforce campaigns
- Attackers submit fake Zendesk tickets to distribute malware and steal access to support agents.
Experts have warned that the infamous Scattered Lapsus$ Hunters gang, known for targeting Salesforce users, is now also targeting Zendesk users to steal their credentials and access their sensitive information.
Security researchers at ReliaQuest say more than 40 typosquat domains have been registered to spoof Zendesk in the past six months. In some cases the domains contained trademarks (eg company name: zendesk(dot)com), in other cases they were relatively generic (eg vpn-zendesk(dot)com).
All domains found by ReliaQuest are registered through NiceNic, with UK or US registration details (probably stolen in previous breaches) and name servers masquerading as Cloudflare.
Also attack Discord?
Researchers discovered the campaign while investigating the 2024 Salesforce incident, noting: “The domains we discovered while investigating the August campaign had similarities to Zendesk domains: format, registration functionality, and use of fraudulent SSO portals.”
If this information is correct, it would mean that the group Scattered Lapsus$ Hunters (SLH) has been busy this summer.
Researchers also said they saw hackers trying to infect companies with malware by submitting their tickets to Zendesk’s portals.
“These fake emails are intended to target support and technical support staff and infect them with Remote Access Trojans (RATs) and other types of malware,” the report said.
“Targeting support teams with such tactics often requires elaborate pretexts, such as urgent requests for system administration or fake password reset requests. The goal is to trick support staff into handing over their credentials or compromising their endpoints.”
Some publications associate this campaign with the recent Discord incident. In October, the popular communications platform announced that its Zendesk account had been hacked and that sensitive data such as billing information, ID numbers and email addresses had been stolen. However, SLH denied any involvement. That’s why SOCRadarThe group said on its Telegram channel that it had nothing to do with the attack:
“We never blamed ourselves for the Discord-Zendesk compromise. In fact, we launched Okta at the same time… vxunderground thought we were behind the Zendesk compromise. We never solved it because it was fun and we knew the truth would come out.”
IN Journal of Information Security