Zendesk users targeted by Scattered Lapsus$ Hunters hackers and fake support sites

News
By published

There's more to the Salesforce attacks than meets the eye

IA y ciberseguridad
(Image credit: Forcepint)
  • Hackers targeting Zendesk users with typosquatted domains to steal credentials
  • ReliaQuest found 40+ spoofed domains, linked to Salesforce campaign similarities
  • Attackers submit fake Zendesk tickets to spread malware and steal support staff access

The notorious Scattered Lapsus$ Hunters gang, which famously targeted Salesforce users, is now targeting Zendesk users as well to try and steal login credentials and gain access to their sensitive information, experts have warned.

Security researchers from ReliaQuest claim over the last six months, more than 40 typosquatted domains were registered spoofing Zendesk. In some instances, the domains contained brand names (for example businessname-zendesk[dot]com), and in other cases, they were relatively generic (vpn-zendesk[dot]com, for example).

All of the domains ReliaQuest found were registered through NiceNic, with either UK or US registrant information (likely stolen in earlier breaches) and Cloudflare-masked nameservers.

Also attacking Discord?

The researchers found the campaign while investigating the 2024 Salesforce incident, noting, “The domains we uncovered while investigating the August campaign shared similarities with the Zendesk domains: formatting, registry characteristics, and the use of deceptive SSO portals.”

If this information is true, it would mean the Scattered Lapsus$ Hunters (SLH) group kept busy over the summer.

The researchers also said they saw the hackers trying to infect businesses with malware by submitting their own tickets to Zendesk portals.

“These fake submissions are crafted to target support and help-desk personnel, infecting them with remote access trojans (RATs) and other types of malware,” it was said in the report.

“Targeting help-desk teams with these kinds of tactics often involves well-crafted pretexts, like urgent system administration requests or fake password reset inquiries. The goal is to trick support staff into handing over credentials or compromising their endpoints.”

Some publications are linking this campaign to the recent Discord incident. In October, the popular communications platform said its Zendesk account was breached, and sensitive data such as billing information, ID numbers, and email addresses stolen. However, SLH denied any involvement. According to SOCRadar, the group said in its Telegram channel that it had nothing to do with this attack:

“We never took credit for the Discord Zendesk compromise. We actually did pop their Okta at the same time … vxunderground believed we were behind the Zendesk compromise. We never corrected him because it was hilarious and we know the truth would come out.”

Via Infosecurity Magazine

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.