🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Phishing campaigns and "pig butchering" scams have increasingly exploited Zendesk's SaaS infrastructure, leveraging its free trial subdomains to mimic legitimate brands and deceive unsuspecting users. By registering subdomains with brand-like names, attackers create authentic-looking interfaces to facilitate phishing, data theft, and financial fraud. This misuse is compounded by B2B marketing tools that assist in gathering employee emails, and by Zendesk's lack of email verification for ticket assignments, which allows phishing emails to bypass spam filters. To mitigate these risks, organizations must implement proactive measures such as blacklisting unknown Zendesk instances, utilizing detection tools like XVigil, and educating employees about phishing tactics.
Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats
Schedule a DemoZendesk allows a user to sign up for a free trial of their SaaS platform, allowing registration of a subdomain, that could be misused to impersonate a target. Several clients have been alerted to such suspicious domains in the past 6 months, through XVigil’s Fake URL’s & Phishing Submodule. These targeted subdomains have used a combination of keywords related to the impersonating brand’s name and a string of numbers to appear legitimate to unsuspecting users.
However, in this report, we will be exploring how these Zendesk domains can be used as a bait for possibly facilitating Investment Scams, through Pig Butchering. Please note that we have not seen active campaigns utilizing this method, but it is an attack technique that we would like to explore and demonstrate.
Since 2023, XVigil has captured 1,912 instances of Zendesk websites - based on client keyword match. With there being cases of legitimate instances being used by corporations to communicate with customers, more than often we have seen 5 or more instances being registered for a company at various time periods. A breakdown based on industry has been provided below for context.
1. A user signs up on Zendesk, in the pretense of registering a URL Address that mimics the target company. The details sought by Zendesk upon registration are:-
2. Once the details are provided, an option to name the Zendesk instance is put forward, allowing an actor to choose a subdomain that bears resemblance to the target company.
3. After registering the subdomain (from CloudSEK’s demonstration case), the landing page appeared like this
4. Upon registering the subdomain, the user has admin access to the subdomain and can add users as ‘users’ to the portal. An invitation mail is sent, by doing so.
5. Threat actors will then try to test the waters, after sending an invitation mail and may then link active phishing pages, in the pretense of assigning tickets to the invited user.
6. With the existence of B2B Marketing tools like RocketReach, Apollo and other Sales Intelligence Platforms, it’s been easy to scourge for employee Email ID’s, belonging to an organization. This, aided with bait pushed by threat actors sensing potential for successful phish attempts make Zendesk, aided with phishing pages to appear legitimate to the common user.
Zendesk does not conduct email checks to invite users. Which means that any random account can be added as a member. Phishing pages can be sent, in the guise of tickets assigned to the email address.
In the screenshots provided below, a disposable email address was picked and added to the members list, as a Zendesk ticket recipient (end user). The address was able to receive the phishing page, received under the guise of a ticket assignment.
Observations:-
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
5
min read
Phishing campaigns and "pig butchering" scams have increasingly exploited Zendesk's SaaS infrastructure, leveraging its free trial subdomains to mimic legitimate brands and deceive unsuspecting users. By registering subdomains with brand-like names, attackers create authentic-looking interfaces to facilitate phishing, data theft, and financial fraud. This misuse is compounded by B2B marketing tools that assist in gathering employee emails, and by Zendesk's lack of email verification for ticket assignments, which allows phishing emails to bypass spam filters. To mitigate these risks, organizations must implement proactive measures such as blacklisting unknown Zendesk instances, utilizing detection tools like XVigil, and educating employees about phishing tactics.
Zendesk allows a user to sign up for a free trial of their SaaS platform, allowing registration of a subdomain, that could be misused to impersonate a target. Several clients have been alerted to such suspicious domains in the past 6 months, through XVigil’s Fake URL’s & Phishing Submodule. These targeted subdomains have used a combination of keywords related to the impersonating brand’s name and a string of numbers to appear legitimate to unsuspecting users.
However, in this report, we will be exploring how these Zendesk domains can be used as a bait for possibly facilitating Investment Scams, through Pig Butchering. Please note that we have not seen active campaigns utilizing this method, but it is an attack technique that we would like to explore and demonstrate.
Since 2023, XVigil has captured 1,912 instances of Zendesk websites - based on client keyword match. With there being cases of legitimate instances being used by corporations to communicate with customers, more than often we have seen 5 or more instances being registered for a company at various time periods. A breakdown based on industry has been provided below for context.
1. A user signs up on Zendesk, in the pretense of registering a URL Address that mimics the target company. The details sought by Zendesk upon registration are:-
2. Once the details are provided, an option to name the Zendesk instance is put forward, allowing an actor to choose a subdomain that bears resemblance to the target company.
3. After registering the subdomain (from CloudSEK’s demonstration case), the landing page appeared like this
4. Upon registering the subdomain, the user has admin access to the subdomain and can add users as ‘users’ to the portal. An invitation mail is sent, by doing so.
5. Threat actors will then try to test the waters, after sending an invitation mail and may then link active phishing pages, in the pretense of assigning tickets to the invited user.
6. With the existence of B2B Marketing tools like RocketReach, Apollo and other Sales Intelligence Platforms, it’s been easy to scourge for employee Email ID’s, belonging to an organization. This, aided with bait pushed by threat actors sensing potential for successful phish attempts make Zendesk, aided with phishing pages to appear legitimate to the common user.
Zendesk does not conduct email checks to invite users. Which means that any random account can be added as a member. Phishing pages can be sent, in the guise of tickets assigned to the email address.
In the screenshots provided below, a disposable email address was picked and added to the members list, as a Zendesk ticket recipient (end user). The address was able to receive the phishing page, received under the guise of a ticket assignment.
Observations:-