Revealed: Typosquatted Domains Associated with Suspected Ransomware Attacks
Cybersecurity experts have identified over 40 typosquatted domains that imitate legitimate Zendesk URLs. This discovery has been linked to the hacking group known as Scattered Lapsus$ Hunters. According to a report from ReliaQuest, these domains have surfaced in the past six months and are primarily aimed at facilitating phishing attacks, specifically designed to capture authentication credentials via fraudulent single sign-on portals.
The domains under scrutiny, such as znedesk.com and vpn-zendesk.com, exhibit deliberate similarities to official Zendesk environments. Such maneuvers indicate a methodical approach to deceive users and gain unauthorized access to sensitive data. Based on observed tactics, the researchers assert that this targeted campaign against Zendesk users aligns with prior activities attributed to the Scattered Lapsus$ Hunters, who had attacked the Salesforce platform only months earlier.
This loosely organized cybercrime cohort, comprised mostly of youthful hackers predominantly from Western countries, has demonstrated a knack for social engineering. Their techniques include manipulating help desk personnel to reset passwords and bypass multi-factor authentication controls, which subsequently grant them entry into victims’ digital landscapes. In past campaigns, these hackers have successfully breached customer data repositories, evidenced by their theft of OAuth tokens from Salesloft, allowing unfettered access to data from 760 different firms integrated with Salesforce.
Recently, a faction of the group, known as Shiny Hunters, has claimed responsibility for additional data theft from Salesforce, tracing their activities back to allegations involving the data management tool Gainsight, where up to 300 organizations were reportedly impacted. A member of the cybercrime collective stated on November 5 that several major initiatives are currently underway, suggesting a renewed and potentially broader assault on various platforms.
Additionally, past incidents targeting Zendesk customers have been reported, most notably by Arda Büyükkaya, a cyber threat intelligence analyst. He revealed that 600 domains registered under the .dev top-level domain were utilizing typosquatting tactics to impersonate customer support portals for well-known brands, including Cloudflare and Zendesk. The primary objective, as he noted, is to gain remote access to harvest sensitive information, ultimately paving the way for account takeovers and financial fraud.
The contents of these fraudulent sites appear to be generated by AI, featuring live chat interfaces manned by operators who solicit victims’ personal details under the guise of providing technical support. This interaction often culminates in an attempt to deceive victims into installing legitimate remote monitoring software, granting attackers extensive access to compromised devices.
The incidents involving Zendesk follow closely on the heels of reports of a breach at Discord, which allegedly included access to Zendesk’s support systems. Here, hackers claimed to have stolen critical user data, further amplifying concerns regarding the vulnerability of customer support frameworks.
Given these findings, ReliaQuest posits that the newly uncovered infrastructure related to Zendesk could be a component of ongoing campaigns carried out by Scattered Lapsus$ Hunters. Organizations are advised to remain vigilant against impending attacks aimed at CRM and customer support systems, expecting a surge of activity in the forthcoming months.
In light of these developments, it is crucial for businesses to consider the MITRE ATT&CK framework, focusing on tactics such as initial access and credential harvesting. By understanding these tactics, organizations can better safeguard their systems against a continuously evolving threat landscape.
