Scattered Lapsus$ Hunters group appears to be targeting Zendesk users in a new phishing campaign. 

Over 40 typo squatted Zendesk domains were discovered, such as znedesk[.]com and vpn-zendesk[.]com. These host fake Zendesk SSO portals to steal credentials. All domains were registered via NiceNic, with US/UK registrant info and Cloudflare-masked nameservers. 

Attack Tactics: 

Fraudulent helpdesk tickets submitted to Zendesk portals, aiming to infect support staff with remote access trojans (RATs) and other malware. 

Pretexts include urgent admin requests or fake password resets to trick staff into giving credentials or compromising endpoints. 

Victim: 

The campaign may already have its first victim, after Discord revealed a breach via a third-party customer service provider last month. Threat actors compromised its Zendesk-based support system, stealing user data including names, email addresses, billing information, IP addresses and government-issued ID information 

Recommendations: 

• Immediately implement multi-factor authentication (MFA) with hardware security keys, IP whitelisting, and session timeout policies for all Zendesk administrative and support accounts. 

• Deploy proactive domain monitoring and DNS filtering to detect and block typo squatted Zendesk domains. Consider using a Digital Risk Protection for early detection of malicious domain registrations. 

• Limit which employees can receive direct messages through Zendesk Chat and implement content filtering to detect phishing links and credential-request patterns. 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.