- Security researchers observe hackers running pig butchering scams
- They're impersonating legitimate businesses through Zendesk's services
- The researchers said Zendesk's vetting system isn't thorough enough
Cybersecurity researchers CloudSEK have found criminals are abusing Zendesk to run brand impersonation scams, with hackers abusing simple program features to engage in “pig butchering” scams to trick people out of their money.
Zendesk allows users to register free trial accounts which, in turn, grant the ability to create subdomains, unfortunately allowing criminals to abuse it at scale.
First, they would create a fake subdomain, mimicking a legitimate company, which would be used to send phishing emails pretending to be actual customer support communication. Since Zendesk is a legitimate company, the emails often make it past spam filters and, disguised using accurate branding, land right into people’s inboxes. The emails apparently carry an image hyperlinked to a phishing page, where the scam continues.
Pig butchering
The goal of the scam is to get people investing in a fake investment platform or support page - a staple of pig butchering scams. The ruse is designed to last as long as possible, draining money from the victim until they realize they’ve been defrauded.
The problem, according to CloudSEK, is that Zendesk doesn’t perform thorough email validation when adding users to subdomains. “This oversight allows attackers to target employees or customers with phishing attempts masked as legitimate ticket assignments,” the researchers said.
Zendesk has been informed of the flaw and its potential for misuse, following CloudSEK's responsible disclosure policy, CloudSEK concluded.
We have reached out to the company and will update the article if we hear back.
Edit, January 23:
"Zendesk sees no evidence of any active campaigns utilizing the method described in the CloudSEK report," a spokesperson told TechRadar Pro via email. "Zendesk actively monitors the creation of accounts to prevent impersonation and immediately removes those that violate our policies."
You might also like
- Fake DocuSign and HubSpot phishing emails target 20,000 Microsoft Azure accounts
- Here's a list of the best antivirus tools on offer
- These are the best endpoint protection tools right now
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
