The Scattered Lapsus$ Hunters group has initiated a targeted campaign against Zendesk users by registering over 40 typosquatted domains that mimic legitimate Zendesk URLs and incorporate organization or brand names. These domains serve phishing pages designed to steal credentials from users who mistakenly visit them. Beyond credential harvesting, the attackers submit fraudulent support tickets through Zendesk portals, aiming to deliver remote access trojans (RATs) to customer support staff. This multi-faceted approach exploits both technical and social engineering vectors, leveraging the trust placed in SaaS customer support platforms. The campaign is an evolution of prior attacks on SaaS platforms such as Salesforce, indicating a trend of targeting customer service ecosystems. The compromise of Discord’s Zendesk-based support system exemplifies the potential impact of these attacks. The attackers utilize techniques including typosquatting (registering domains closely resembling legitimate ones), phishing (credential harvesting), and social engineering (fraudulent ticket submission) to gain initial access and establish persistence. The RAT infections enable attackers to maintain remote control over compromised systems, potentially leading to data exfiltration, lateral movement, and further compromise. Indicators of compromise include domains like vpn-zendesk.com and znedesk.com. The campaign underscores the critical need for robust authentication, domain monitoring, and securing communication channels within SaaS platforms to prevent credential theft and malware deployment.

For European organizations, this threat poses significant risks to the confidentiality and integrity of customer support operations. Compromise of Zendesk accounts can lead to unauthorized access to sensitive customer data, internal communications, and support tickets, potentially exposing personal data protected under GDPR. The infection of support staff with RATs can facilitate persistent attacker presence, enabling lateral movement within corporate networks and access to other critical systems. This can result in data breaches, reputational damage, and regulatory penalties. Given the widespread use of Zendesk across various industries in Europe, including finance, telecommunications, and retail, the impact could be broad and severe. Additionally, disruption of customer support services can degrade business operations and customer trust. The phishing and typosquatting elements increase the likelihood of successful initial compromise, especially if users are not trained to recognize such threats. The medium severity reflects the balance between the attack complexity and the potential for significant operational and data security consequences.

European organizations should implement multi-layered defenses tailored to this threat: 1) Enforce strong multi-factor authentication (MFA) on all Zendesk accounts to prevent credential misuse even if passwords are compromised. 2) Conduct continuous monitoring and takedown requests for typosquatted domains impersonating Zendesk or the organization’s brand to reduce phishing exposure. 3) Educate support staff on phishing risks, especially regarding suspicious URLs and unsolicited ticket submissions. 4) Harden Zendesk portal configurations by restricting ticket submission sources and enabling anomaly detection for unusual ticket activity. 5) Secure Zendesk chat and other communication channels with strict access controls and monitoring for malware indicators. 6) Employ endpoint detection and response (EDR) tools on support staff devices to detect and block RAT infections. 7) Regularly audit Zendesk account activity and permissions to identify unauthorized access quickly. 8) Collaborate with domain registrars and threat intelligence providers to stay informed on emerging typosquatting campaigns. 9) Implement network segmentation to limit the impact of any potential compromise originating from support systems. 10) Prepare incident response plans specifically addressing SaaS platform compromises and phishing campaigns targeting customer service teams.