This report serves as an advisory to organizations regarding the misuse of Zendesk’s platform for creating subdomains that impersonate legitimate companies, potentially facilitating investment scams. The analysis highlights how these domains can be exploited for phishing attacks, particularly through a technique known as Pig Butchering. Organizations are urged to block or take down suspicious domains to prevent disruptions. Affected: Zendesk
Keypoints :
- Zendesk allows users to create subdomains, which can be misused for impersonation.
- 1,912 instances of Zendesk websites have been captured, often mimicking legitimate companies.
- Phishing attacks can be facilitated through impersonated Zendesk instances.
- Threat actors can register subdomains that closely resemble target companies.
- Zendesk does not validate email addresses for user invitations, increasing the risk of phishing.
- Phishing emails can bypass spam filters, landing directly in the primary inbox of employees.
- Data theft and financial loss are significant risks associated with these phishing campaigns.
- Legal and compliance risks may arise for companies affected by these attacks.
- Recommendations include blacklisting unknown Zendesk instances and educating employees on phishing tactics.
MITRE Techniques :
- Phishing (T1566): Threat actors create fraudulent Zendesk subdomains to impersonate legitimate companies and send phishing emails.
- Credential Dumping (T1003): Phishing campaigns targeting Zendesk users can lead to credential theft.
- Data Encrypted for Impact (T1486): Phishing attacks can result in unauthorized access to sensitive customer data.
Indicator of Compromise :
- [domain] zendesk-impersonation-example.com
- [url] http://fake-zendesk-portal.com
- [email] phishing@example.com
- [file name] fake_ticket.pdf
- [tool name] XVigil
- Check the article for all found IoCs.
Full Research: https://www.cloudsek.com/blog/facilitating-phishing-and-pig-butchering-activities-using-zendesk-infrastructure-bait-switch-mode