- Hackers attack Zendesk users with misspelled domains to steal credentials
- ReliaQuest found more than 40 spoofed domains, linked to similarities to Salesforce campaigns
- Attackers submit fake Zendesk tickets to spread malware and steal support staff access
The notorious Scattered Lapsus$ Hunters gang, which targeted Salesforce users, is now also targeting Zendesk users to try to steal login credentials and gain access to their sensitive information, experts have warned.
Security researchers at ReliaQuest say that more than 40 domains with typos were registered spoofing Zendesk in the last six months. In some cases, the domains contained brand names (for example, businessname-zendesk[dot]com), and in other cases, were relatively generic (vpn-zendesk[dot]com, for example).
All of the domains ReliaQuest found were registered through NiceNic, with UK or US registrant information (likely stolen in previous breaches) and name servers masked by Cloudflare.
Also attacking Discord?
Researchers found the campaign while investigating the 2024 Salesforce incident, noting: “The domains we discovered while investigating the August campaign shared similarities with Zendesk domains: format, registration features, and the use of deceptive SSO portals.”
If this information is true, it would mean that the Scattered Lapsus$ Hunters (SLH) group stayed busy over the summer.
The researchers also said they saw hackers trying to infect companies with malware by submitting their own tickets to Zendesk portals.
“These fake submissions are designed to target support and technical support staff, infecting them with Remote Access Trojans (RATs) and other types of malware,” the report says.
“Targeting support teams with these types of tactics often involve well-crafted pretexts, such as urgent system administration requests or bogus password reset requests. The goal is to trick support staff into handing over credentials or compromising their endpoints.”
Some posts link this campaign to the recent Discord incident. In October, the popular communications platform said its Zendesk account had been breached and sensitive data such as billing information, ID numbers, and email addresses stolen. However, SLH denied any involvement. According SOCRadarThe group said on its Telegram channel that it had nothing to do with this attack:
“We never took credit for the Discord Zendesk compromise. In fact, we blew up their Okta at the same time… vxunderground believed we were behind the Zendesk compromise. We never corrected it because it was hilarious and we know the truth would come out.”
Through Infosecurity Magazine
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
