Hackers are abusing Zendesk to run brand impersonation scams

Phishing
(Image credit: wk1003mike / Shutterstock)

  • Security researchers observe hackers running pig butchering scams
  • They're impersonating legitimate businesses through Zendesk's services
  • The researchers said Zendesk's vetting system isn't thorough enough

Cybersecurity researchers CloudSEK have found criminals are abusing Zendesk to run brand impersonation scams, with hackers abusing simple program features to engage in “pig butchering” scams to trick people out of their money.

Zendesk allows users to register free trial accounts which, in turn, grant the ability to create subdomains, unfortunately allowing criminals to abuse it at scale.

First, they would create a fake subdomain, mimicking a legitimate company, which would be used to send phishing emails pretending to be actual customer support communication. Since Zendesk is a legitimate company, the emails often make it past spam filters and, disguised using accurate branding, land right into people’s inboxes. The emails apparently carry an image hyperlinked to a phishing page, where the scam continues.

Pig butchering

The goal of the scam is to get people investing in a fake investment platform or support page - a staple of pig butchering scams. The ruse is designed to last as long as possible, draining money from the victim until they realize they’ve been defrauded.

The problem, according to CloudSEK, is that Zendesk doesn’t perform thorough email validation when adding users to subdomains. “This oversight allows attackers to target employees or customers with phishing attempts masked as legitimate ticket assignments,” the researchers said.

Zendesk has been informed of the flaw and its potential for misuse, following CloudSEK's responsible disclosure policy, CloudSEK concluded.

We have reached out to the company and will update the article if we hear back.

Edit, January 23:

"Zendesk sees no evidence of any active campaigns utilizing the method described in the CloudSEK report," a spokesperson told TechRadar Pro via email. "Zendesk actively monitors the creation of accounts to prevent impersonation and immediately removes those that violate our policies."

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
Fraude en ligne phishing
Google Search ads are being hacked to steal account info
Magnifying glass enlarging the word 'malware' in computer machine code
Microsoft Teams and AnyDesk abused to deploy dangerous malware, so be on your guard
Hook on Keyboard
Fake DocuSign and HubSpot phishing emails target 20,000 Microsoft Azure accounts
Close up of a business person using a smartphone.
Watch out, malicious PDF files are being used again in phishing attacks
Fraude en ligne phishing
Google forced to step up phishing defenses following ‘most sophisticated attack’ it has ever seen
Latest in Security
Webex by Cisco banner on a Chromebook
Cisco warns some Webex users of worrying security flaw, so patch now
Red padlock open on electric circuits network dark red background
AI-powered cyber threats are becoming the biggest worry for businesses everywhere
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
Red padlock open on electric circuits network dark red background
Aviaton firms hit by devious new polyglot malware
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Image of laptop infected with malware
Ransomware criminals are now sending their demands...by snail mail?
Latest in News
A screenshot showing Naoe looking at the hidden blade in Assassin's Creed Shadows
Prep 107GB of space as Assassin's Creed Shadows preload and expected global release times are shared by Ubisoft
Sam Altman and OpenAI
UK regulator clears Microsoft’s $13bn deal with OpenAI after lengthy delay
the last of us 2 gate codes
The Last of Us director Neil Druckmann speaks on the possibility of The Last of Us Part 3: 'I guess the only thing I would say is don’t bet on there being more'
Google AI Mode
Google previews AI Mode for search, taking on the likes of ChatGPT search and Perplexity
AMD Ryzen 9950X
Ryzen CPUs are the cheapest Zen 5 cores you can buy, but I was surprised to see this AMD 192-core CPUs on the value leaderboard
A hand holding a phone showing the Android Find My Device network
Android's Find My Device can now let you track your friends – and I can't decide if that's cool or creepy