Scattered Lapsus$ Hunters Impersonate Zendesk in Phishing Campaign Stealing Credentials
Published
Key Takeaways
- New campaign: Scattered Lapsus$ Hunters is targeting Zendesk users with a sophisticated phishing campaign involving fake support sites.
- Phishing infrastructure: Security researchers have identified over 40 typosquatted and impersonation domains designed to mimic Zendesk's legitimate portals.
- Attack method: The group uses fake SSO pages to harvest credentials and submits malicious tickets to legitimate helpdesks to deploy RATs.
A Scattered Lapsus$ Hunters Zendesk attack leverages an extensive infrastructure of more than 40 fraudulent domains that impersonate Zendesk's support portals. The group leverages these fake support sites with illegitimate SSO login prompts to steal credentials and gain initial access to corporate networks via RATs.
The tactics and registration details of these domains closely mirror a previous campaign against Salesforce customers, which was claimed by ShinyHunters, strongly suggesting the same threat actor is responsible.
Helpdesk Security Breach Methods
The cybercrime supergroup known as Scattered Lapsus$ Hunters (SLH) is believed to be behind a new, large-scale phishing campaign targeting users of the customer service platform Zendesk.Â
The attackers are employing a multi-faceted approach, security researchers at ReliaQuest discovered. Some of the impersonation domains, such as znedesk[.]com, organization-zendesk[.]com, or vpn-zendesk[.]com, host fake single sign-on (SSO) pages designed to harvest employee credentials.Â
In a more direct method, the group submits malicious support tickets to legitimate Zendesk instances operated by their target organizations. These fraudulent tickets are weaponized, potentially leading to the deployment of remote access trojans (RATs) on helpdesk agents' machines.Â
Context of the Broader Campaign
This Zendesk phishing campaign is consistent with the known modus operandi of Scattered Lapsus$ Hunters, a coalition of threat actors from Scattered Spider, ShinyHunters, and the original Lapsus$ group.Â
Their strategy focuses on weaponizing identity and trust in widely used SaaS platforms. The attack on Zendesk, which serves over 100,000 companies, could provide the group with an entry point into a vast number of organizations.Â
The recent breach at Discord, which involved its 5CA support system (Zendesk customers), is now being viewed by some researchers as likely part of this broader campaign targeting enterprise support platforms. Both Zendesk and 5CA denied being breached.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular