Lapsus$ Hackers Target Zendesk Users in Coordinated Attack
â–Ľ Summary
– Scattered Lapsus$ Hunters may be targeting Zendesk users through phishing domains and malicious helpdesk tickets.
– Over 40 typosquatted Zendesk domains have been created in the past six months, hosting fake SSO portals to steal credentials.
– The group is submitting fraudulent tickets to Zendesk portals to infect support staff with malware and steal credentials.
– Discord may be an early victim, with attackers compromising its Zendesk system to steal user data like emails and billing information.
– This campaign shares similarities with recent Salesforce attacks but could also be the work of a copycat group.
A new and sophisticated phishing campaign is actively targeting users of the popular customer service platform Zendesk. Security researchers at ReliaQuest have identified a wave of malicious activity, including over 40 deceptive domains designed to impersonate legitimate Zendesk services. These fake sites, which use slight misspellings like znedesk[.]com, host counterfeit single sign-on portals with the singular purpose of stealing user credentials. The technical fingerprints of this operation strongly resemble those of the notorious Scattered Lapsus$ Hunters group, suggesting a coordinated and persistent threat.
The investigation revealed that all these fraudulent domains were registered through the NiceNic service. They share consistent registrant information pointing to the United States and United Kingdom, and they employ Cloudflare to mask their true nameserver details. This specific combination of tactics, techniques, and procedures is a hallmark of the same threat actors who orchestrated a similar campaign against the Salesforce platform just a few months prior. The parallels in domain formatting, registry choices, and the deployment of fake login pages are too significant to ignore.
Beyond credential harvesting, the attackers are also leveraging a secondary, equally dangerous method. They are actively submitting fraudulent helpdesk tickets directly to the Zendesk portals used by the platform’s clients. These tickets are carefully engineered to appear as legitimate, high-priority requests, such as urgent system administration tasks or password reset claims. The ultimate objective is to manipulate support staff into executing malicious files, which then deploy remote access trojans (RATs) and other forms of malware onto corporate systems.
There is compelling evidence that this campaign has already claimed a major victim. The popular communication platform Discord recently disclosed a security incident involving a third-party customer service agent. In that breach, threat actors successfully infiltrated Discord’s Zendesk-based support system, leading to the theft of extensive user data. The compromised information included user names, email and billing addresses, IP addresses, and even copies of government-issued identification documents. This incident underscores the severe real-world consequences of these attacks.
This offensive against Zendesk customers appears to be part of a broader strategy focusing on high-value Software-as-a-Service (SaaS) platforms. These companies are attractive targets due to their widespread corporate adoption and, crucially, their deep access to sensitive customer data across numerous other organizations. While the evidence points strongly to the Scattered Lapsus$ Hunters, security experts acknowledge the possibility that a separate, copycat group could be responsible for this latest wave of attacks. In response to these threats, ReliaQuest is urging all organizations to implement enhanced security measures.
(Source: Info Security)
