- Hackers targeting Zendesk users with typosquatted domains to steal credentials
- ReliaQuest found 40+ spoofed domains, linked to Salesforce campaign similarities
- Attackers submit fake Zendesk tickets to spread malware and steal support staff access
The notorious Scattered Lapsus$ Hunters gang, which famously targeted Salesforce users, is now targeting Zendesk users as well to try and steal login credentials and gain access to their sensitive information, experts have warned.
Security researchers from ReliaQuest claim over the last six months, more than 40 typosquatted domains were registered spoofing Zendesk. In some instances, the domains contained brand names (for example businessname-zendesk[dot]com), and in other cases, they were relatively generic (vpn-zendesk[dot]com, for example).
All of the domains ReliaQuest found were registered through NiceNic, with either UK or US registrant information (likely stolen in earlier breaches) and Cloudflare-masked nameservers.
Also attacking Discord?
The researchers found the campaign while investigating the 2024 Salesforce incident, noting, “The domains we uncovered while investigating the August campaign shared similarities with the Zendesk domains: formatting, registry characteristics, and the use of deceptive SSO portals.”
If this information is true, it would mean the Scattered Lapsus$ Hunters (SLH) group kept busy over the summer.
The researchers also said they saw the hackers trying to infect businesses with malware by submitting their own tickets to Zendesk portals.
“These fake submissions are crafted to target support and help-desk personnel, infecting them with remote access trojans (RATs) and other types of malware,” it was said in the report.
“Targeting help-desk teams with these kinds of tactics often involves well-crafted pretexts, like urgent system administration requests or fake password reset inquiries. The goal is to trick support staff into handing over credentials or compromising their endpoints.”
Some publications are linking this campaign to the recent Discord incident. In October, the popular communications platform said its Zendesk account was breached, and sensitive data such as billing information, ID numbers, and email addresses stolen. However, SLH denied any involvement. According to SOCRadar, the group said in its Telegram channel that it had nothing to do with this attack:
“We never took credit for the Discord Zendesk compromise. We actually did pop their Okta at the same time … vxunderground believed we were behind the Zendesk compromise. We never corrected him because it was hilarious and we know the truth would come out.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/JFKDCP2HdEKqSGJCkLNprB-1100-80.jpg
Source link
