- Hackers targeting Zendesk users with misspelled domains to steal credentials
- ReliaQuest found more than 40 spoofed domains linked to Salesforce campaign similarities
- Attackers submit fake Zendesk tickets to spread malware and steal support staff access
The infamous Scattered Lapsus$ Hunters gang, which famously targeted Salesforce users, is now also targeting Zendesk users to try to steal login credentials and access their sensitive information, experts have warned.
Security researchers from ReliaQuest claim that over the past six months, more than 40 typosquatted domains have been registered spoofing Zendesk. In some cases, the domains contained trademarked names (for example, businessname-zendesk[dot]com), and in other cases they were relatively generic (vpn-zendesk[dot]com, for example).
All of the domains ReliaQuest found were registered through NiceNic, with either UK or US registrant information (likely stolen in previous breaches) and Cloudflare-masked nameservers.
Also attacking Discord?
The researchers found the campaign while investigating the 2024 Salesforce incident and noted, “The domains we uncovered while investigating the August campaign shared similarities with the Zendesk domains: formatting, registration properties, and the use of deceptive SSO portals.”
If this information is true, it would mean that the group Scattered Lapsus$ Hunters (SLH) kept busy during the summer.
The researchers also said they saw the hackers trying to infect companies with malware by submitting their own tickets to Zendesk portals.
“These fake submissions are made to target support and help desk personnel and infect them with remote access trojans (RATs) and other types of malware,” the report said.
“Targeting help desk teams with these kinds of tactics often involves elaborate pretexts, such as urgent requests for system administration or fake password reset requests. The goal is to trick support staff into handing over credentials or compromising their endpoints.”
Some publications link this campaign to the recent Discord incident. In October, the popular communications platform said its Zendesk account was breached and sensitive data such as billing information, ID numbers and email addresses were stolen. However, SLH denied any involvement. According to SOCRadarThe group said in its Telegram channel that it had nothing to do with this attack:
“We never took credit for the Discord Zendesk compromise. We actually got their Okta at the same time… vxunderground thought we were behind the Zendesk compromise. We never corrected him because it was fun and we know the truth would come out.”
Via Information security Magazine
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
