A new study has claimed that Zendesk’s SaaS infrastructure is being targeted by scammers and hackers.
Produced by CloudSek, the study claims that bad actors are using Zendesk’s SaaS free trial offer to imitate genuine brands in an attempt to mislead unsuspecting users.
In particular, CloudSek believes that the vendor is susceptible to phishing campaigns.
In a nutshell, attackers are using the free trial to register brand-like subdomains to create convincing interfaces for phishing, data theft, and financial fraud.
Targeted subdomains combine the impersonated brand’s name with numbers to appear legitimate to users.
The report states that there have been several reported cases of Zendesk clients being targeted by suspect domains in the past six months.
While this is clearly an area of concern for the vendor, CloudSek posits that the fake domains could also be used to deploy “pig butchering” scams, as explained by the report author, Noel Varghese.
Pig Butchering
Named after the practice of fattening a pig before slaughter, pig butchering scams involve fraudsters building trust with random targets before tricking them into fake investments and disappearing with their money.
While the report was keen to emphasize that, to the best of the firm’s knowledge, Zendesk has not currently been impacted by any scams of this kind, CloudSek believes that the free trial weakness makes the SaaS provider vulnerable.
In exploring the possibility, CloudSek provided a demonstration of how a potential phishing attack targeting XYZ Company could exploit Zendesk as an infrastructure platform and leverage fake domains to propagate pig butchering scams.
Below is a brief summary of how the scam could work in practice:
- Zendesk Account Setup: The attacker registers a Zendesk account using a subdomain that mimics the target company’s name.
- Fake Subdomain Creation: Admin access allows the attacker to invite users and send phishing emails disguised as legitimate ticket notifications.
- Phishing Setup: Invitations include links to phishing pages pretending to be support tickets.
- Data Collection: Tools like RocketReach help gather employee email addresses, targeting specific users for phishing.
- Exploitation: Zendesk’s lack of email verification enables attackers to send phishing links to any added email address.
In this hypothetical example, a disposable email address was added as a member to the Zendesk portal, which received a phishing page masquerading as a legitimate support ticket assignment.
This demonstrates how easily Zendesk’s infrastructure can be misused for phishing attacks when proper safeguards are not in place.
Observations and Recommendations
First and foremost, the fact that all email correspondence (tickets) from attacker-controlled Zendesk domains lands in the Primary Inbox instead of being marked as spam, poses a significant risk.
As demonstrated above, this can lead to employees mistaking these phishing campaigns for legitimate communication from their organization.
In addition, tickets can be assigned to both corporate and non-corporate email accounts without validation, allowing attackers to target anyone with emails from the spoofed Zendesk domain.
In order to combat this threat, the report recommends the following:
- Blacklist Unknown Zendesk Instances: Restrict access to unverified Zendesk login pages to prevent employees from interacting with impersonated company domains.
- Leverage XVigil’s Detection Tools: Use XVigil’s Fake URLs & Phishing Submodule to identify and alert on suspicious Zendesk subdomains impersonating companies. Proactive monitoring and takedown activities can help prevent incidents.
- Employee Awareness and Training: Educate employees about phishing tactics and warn them against scams posing as customer support or investment schemes to reduce the risk of successful attacks.
A Worrying Trend
From a customer service and experience perspective, the danger is that scammers could gain unauthorized access to sensitive customer data through fake Zendesk forms or impersonated support agents, which could lead to data breaches and financial losses.
Interestingly, the CloudSek report follows another Zendesk vulnerability that was revealed back in October of last year.
Exploited by a 15-year-old ethical hacker named Daniel through HackerOne, the weakness allowed him to access multiple customer support tickets and expose sensitive customer data.
The security flaw once again involved Zendesk’s email system, which proved to be vulnerable to email spoofing.
The simplicity of the exploit is particularly concerning for Zendesk and its users.
Attackers only needed the support email address and a predictable ticket ID to exploit the vulnerability.
By spoofing the original requestor’s email and copying themselves in, they gained unauthorized access to support tickets.
The lack of spoofing protection allowed attackers to bypass single sign-on security and access sensitive customer information in active support conversations.
It is important to note once more that there are no reported examples of Zendesk having been targeted by pig butchering.
However, the ethical hacker breach and the report being released in the space of four months outlines a worrying trend that Zendesk will undoubtedly be looking to correct.