Hackers affiliated with the Scattered Lapsus$ Hunters might be preparing a threat campaign against Zendesk environments, according to Reliaquest researchers.
About 40 typoquatting and impersonating domains have been created over the past six months that mimic Zendesk environments, according to a blog published Wednesday by Reliaquest. Zendesk is a company that provides cloud-based customer service and sales software.
Some of the domains host phishing pages that contain fake single sign-on portals, which can be used to trick users and steal credentials, according to the blog.
Reliaquest researchers believe the camapaign is already beginning to target Zendesk environments.
“The primary objective at this stage appears to be harvesting credentials from users within organizations that rely on Zendesk, such as system administrators or helpdesk personnel—likely due to their elevated permissions,” a Reliaquest spokesperson told Cybersecurity Dive via email.
The domains contained several important registry details, including Cloudflare-masked nameservers, U.S.- and U.K.-based registrant contact information and registration through NiceNik, according to Reliaquest.
Researchers warn they have evidence the hackers are submitting fraudulent tickets to legitimate Zendesk portals that are operated by organizations that use the portal for customer service. The fraudulent tickets are designed to target help-desk and support personnel, infecting them with remote access Trojans and other types of malware, according to Reliaquest.
A spokesperson for Reliaquest said the researchers shared their findings with Zendesk.
“Our security team continuously monitors potential phishing sites, fraudulent domains or misuse of our trademarks for malicious activities,” a spokesperson for Zendesk told Cybersecurity Dive, via email. “We quickly respond to emerging threats, alert affected parties and implement protective measures when it is appropriate to ensure the security of our customers.”
Source: Cybersecurity News