- Hackers targeting Zendesk users with typosquatted domains to steal credentials
- ReliaQuest found over 40 spoofed domains linked to Salesforce campaign similarities
- Attackers submit fake Zendesk tickets to spread malware and steal support staff access.
The notorious Scattered Lapsus$ Hunters gang, which targeted Salesforce users, is now also targeting Zendesk users in an attempt to steal login credentials and access their sensitive information, experts have warned.
Security researchers at ReliaQuest say that in the last six months, more than 40 typosquatted domains have been registered to spoof Zendesk. In some cases, domains contained brand names (e.g. businessname-zendesk[dot]com), and in other cases they were relatively generic (vpn-zendesk[dot]com, for example).
All domains found by ReliaQuest were registered through NiceNic, with UK or US registrant information (likely stolen in previous breaches) and nameservers masked by Cloudflare.
Are you also attacking Discord?
Researchers discovered the campaign while investigating the 2024 Salesforce incident, noting: “The domains we discovered while investigating the August campaign shared similarities with Zendesk domains: formatting, registry features, and use of deceptive SSO portals. »
If this information is true, it would mean that the Scattered Lapsus$ Hunters (SLH) group has remained busy throughout the summer.
Researchers also said they have seen hackers attempt to infect businesses with malware by submitting their own tickets to Zendesk portals.
“These fake submissions are designed to target support and support staff, infecting them with remote access Trojans (RATs) and other types of malware,” the report states.
“Targeting support teams with these types of tactics often involves well-crafted pretexts, like urgent system administration requests or fake password reset requests. The goal is to trick support staff into handing over credentials or compromising their endpoints.”
Some posts link this campaign to the recent Discord incident. In October, the popular communications platform said its Zendesk account had been hacked and sensitive data such as billing information, ID numbers and email addresses stolen. However, SLH denied any involvement. According to SOCRadarthe group declared on its Telegram channel that it had nothing to do with this attack:
“We never took credit for the Discord Zendesk compromise. In fact, we launched their Okta at the same time…vxunderground thought we were behind the Zendesk compromise. We never fixed it because it was hilarious and we knew the truth would come out.”
Via Infosecurity magazine
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
