Global Spam Wave Exploits Zendesk Ticket Systems

A widespread and disruptive spam campaign is exploiting a common feature in customer service software, flooding inboxes globally with confusing and often bizarre messages. This wave, which began gaining significant traction around mid-January, originates from improperly secured Zendesk support ticket systems used by a variety of well-known companies. Rather than containing malicious links, these emails appear designed to cause confusion and alarm by abusing automated confirmation messages.

Individuals across social media have reported receiving hundreds of these unsolicited emails in a short period. The messages bypass typical spam filters because they are sent directly from the legitimate customer service domains of major organizations. This makes them particularly intrusive and concerning for recipients who may initially believe they are legitimate communications.

The core of the issue lies in a default setting within Zendesk. The platform allows companies to configure their support so that anyone can submit a ticket without first verifying their email address. Attackers are exploiting this openness by using automated tools to submit massive volumes of fake support tickets, entering random or harvested email addresses as the contact. Each submission triggers an automatic confirmation email from the company’s Zendesk system, effectively turning a customer service tool into an unwitting spam relay.

The list of affected organizations is extensive and includes major names like Discord, Tinder, Riot Games, Dropbox, and NordVPN, as well as entities like the Tennessee Department of Revenue and Headspace. The subject lines of these emails are deliberately chaotic and alarming. Some impersonate legal actions or law enforcement, with phrases like “TAKE DOWN ORDER NOW” or “IMPORTANT LAW ENFORCEMENT NOTIFICATION.” Others promise free gifts like “FREE DISCORD NITRO!!” or simply plead “Help Me!” Many use Unicode characters to create bold or decorative text in various languages, adding to their strange appearance.

Despite their alarming nature, security researchers confirm the emails lack phishing links or malware payloads. Their primary impact is nuisance and confusion, suggesting the campaign may be more about “trolling” than direct cybercrime. Several affected companies have publicly addressed the issue. For instance, video game publisher 2K sent follow-up messages to recipients, explaining the situation and urging them not to be concerned. They clarified that their open ticket policy, intended to reduce support barriers, was being abused and assured users that no account actions would be taken without direct authentication from the account holder.

In response to the incident, Zendesk has stated it is implementing new platform-level safeguards. A company spokesperson noted the introduction of enhanced monitoring and activity limits designed to detect and halt this “relay spam” more quickly. Zendesk had previously alerted customers to this potential abuse in a December advisory, recommending that organizations adjust their settings to prevent it. The most effective mitigation is for companies to restrict ticket creation to verified users only and to remove any open fields that allow for unvetted email addresses or ticket subjects.

For individuals inundated with these messages, the advice is straightforward: mark them as spam and delete them. Since the emails contain no dangerous links, they pose no direct security threat, though their volume remains a significant annoyance. This event highlights a broader security consideration for businesses using SaaS platforms, underscoring the importance of reviewing default configurations, even those meant to improve user accessibility, to ensure they cannot be weaponized for disruptive campaigns.

(Source: Bleeping Computer)