{"id":66811,"date":"2025-01-22T15:10:59","date_gmt":"2025-01-22T15:10:59","guid":{"rendered":"https:\/\/www.cxtoday.com\/?p=66811"},"modified":"2025-01-23T14:44:39","modified_gmt":"2025-01-23T14:44:39","slug":"zendesks-saas-solutions-are-being-exploited-by-phishing-pig-butchering-scams","status":"publish","type":"post","link":"https:\/\/www.cxtoday.com\/crm\/zendesks-saas-solutions-are-being-exploited-by-phishing-pig-butchering-scams\/","title":{"rendered":"Zendesk\u2019s Infrastructure Is Being Exploited by Phishing & \u201cPig Butchering\u201d Scams"},"content":{"rendered":"

A new study has claimed that Zendesk\u2019s SaaS infrastructure is being targeted by scammers and hackers. <\/span>\u00a0<\/span><\/p>\n

Produced by CloudSek, the study claims that bad actors are using Zendesk\u2019s SaaS free trial offer to imitate genuine brands in an attempt to mislead unsuspecting users.<\/span>\u00a0<\/span><\/p>\n

In particular, CloudSek believes that the vendor is susceptible to phishing campaigns.<\/span>\u00a0<\/span><\/p>\n

In a nutshell, attackers are using the free trial to register brand-like subdomains to create convincing interfaces for phishing, data theft, and financial fraud.<\/span>\u00a0<\/span><\/p>\n

Targeted subdomains combine the impersonated brand\u2019s name with numbers to appear legitimate to users.<\/span>\u00a0<\/span><\/p>\n

The report states that there have been several reported cases of Zendesk clients being targeted by suspect domains in the past six months.<\/span>\u00a0<\/span><\/p>\n

While this is clearly an area of concern for the vendor, CloudSek posits that the fake domains could also be used to deploy “pig butchering” scams, as explained by the report author, <\/span>Noel Varghese.<\/p>\n

Pig Butchering<\/h2>\n

Named after the practice of fattening a pig before slaughter, pig butchering scams involve fraudsters building trust with random targets before tricking them into fake investments and disappearing with their money.<\/span>\u00a0<\/span><\/p>\n

While the report was keen to emphasize that, to the best of the firm\u2019s knowledge,\u00a0Zendesk has not currently been impacted by any scams of this kind, CloudSek believes that the free trial weakness makes the SaaS provider vulnerable. <\/span>\u00a0<\/span><\/p>\n

In exploring the possibility, CloudSek provided a demonstration of how a potential phishing attack targeting XYZ Company could exploit Zendesk as an infrastructure platform and leverage fake domains to propagate pig butchering scams. <\/span>\u00a0<\/span><\/p>\n

Below is a brief summary of how the scam could work in practice:<\/span>\u00a0<\/span><\/p>\n

    \n
  1. Zendesk Account Setup:<\/span><\/b> The attacker registers a Zendesk account using a subdomain that mimics the target company\u2019s name.<\/span>\u00a0<\/span><\/li>\n
  2. Fake Subdomain Creation:<\/span><\/b> Admin access allows the attacker to invite users and send phishing emails disguised as legitimate ticket notifications.<\/span>\u00a0<\/span><\/li>\n
  3. Phishing Setup:<\/span><\/b> Invitations include links to phishing pages pretending to be support tickets.<\/span>\u00a0<\/span><\/li>\n
  4. Data Collection:<\/span><\/b> Tools like RocketReach help gather employee email addresses, targeting specific users for phishing.<\/span>\u00a0<\/span><\/li>\n
  5. Exploitation:<\/span><\/b> Zendesk\u2019s lack of email verification enables attackers to send phishing links to any added email address.<\/span>\u00a0<\/span><\/li>\n<\/ol>\n

    In this hypothetical example, a disposable email address was added as a member to the Zendesk portal, which received a phishing page masquerading as a legitimate support ticket assignment. <\/span>\u00a0<\/span><\/p>\n

    This demonstrates how easily Zendesk\u2019s infrastructure can be misused for phishing attacks when proper safeguards are not in place.<\/span>\u00a0<\/span><\/p>\n

    Observations and Recommendations \u00a0<\/span><\/h2>\n

    First and foremost, the fact that all\u00a0email correspondence (tickets) from attacker-controlled Zendesk domains lands in the Primary Inbox instead of being marked as spam, poses a significant risk.<\/span>\u00a0<\/span><\/p>\n

    As demonstrated above, this can lead to employees mistaking these phishing campaigns for legitimate communication from their organization.<\/span>\u00a0<\/span><\/p>\n

    In addition, tickets can be assigned to both corporate and non-corporate email accounts without validation, allowing attackers to target anyone with emails from the spoofed Zendesk domain.<\/span>\u00a0<\/span><\/p>\n

    In order to combat this threat, the report recommends the following:<\/span>\u00a0<\/span><\/p>\n