BENGALURU: CloudSEK, a leader in AI-powered cybersecurity solutions, has uncovered how cybercriminals can exploit a seemingly simple feature of Zendesk’s SaaS platform.

CloudSEK’s latest research highlights how Zendesk subdomain registrations could be misused to impersonate legitimate brands and facilitate phishing and investment scams, putting businesses and users at risk.

Zendesk, a popular platform offering free trial accounts, allows users to register subdomains. While this feature helps businesses quickly set up customer support systems, CloudSEK’s research reveals how threat actors can weaponize this functionality. By mimicking legitimate brands, malicious actors can launch convincing phishing campaigns to steal sensitive information and manipulate victims into financial scams. Zendesk has been informed of the flaw and its potential for misuse, following CloudSEK’s responsible disclosure policy. (For More Information, Read Full Report)

How Zendesk Subdomains Could Fuel Investment Scams

The report deep dives into how threat actors can use Zendesk subdomains as part of elaborate “pig butchering” scams—a form of investment fraud where victims are groomed over time to invest in fraudulent schemes.

CloudSEK researcher, in a step-by-step process, exposed how Zendesk domains can be used as bait for possibly facilitating investment scams through Pig Butchering. Here’s how it works:

1. Creating a Fake Subdomain: Cybercriminals register a subdomain on Zendesk that mimics a legitimate company. The platform’s lenient verification process allows users to set up subdomains resembling trusted brands easily.
2. Sending Phishing Emails: Threat actors use Zendesk’s features to send phishing emails disguised as legitimate customer support communications to victims. In this step, an image was sent via Zendesk ticket which was hyperlinked to a phishing page.
3. Building Trust: Victims are lured into believing these emails are from a legitimate source, thanks to the professional appearance of Zendesk’s tools. All email correspondence (tickets) land in the Primary Inbox instead of being marked as spam.
4. Triggering the Scam: The hyperlinked image directed victims to fake investment platforms or support pages, where attackers can manipulate them into transferring money or sharing sensitive details. (For More Information, Read Full Report)

CloudSEK’s analysis uncovered that Zendesk does not perform thorough email validation when adding users to subdomains. This oversight allows attackers to target employees or customers with phishing attempts masked as legitimate ticket assignments.

Sample email showing targetted email address was able to receive the image that was hyperlinked to the phishing page. The email was received under the guise of a ticket assignment.

Key Findings from the Report

Massive Reach: Since 2023, CloudSEK’s XVigil platform has identified 1,912 suspicious Zendesk subdomains linked to potential phishing and impersonation attempts.

• Trust Misuse: Zendesk’s email reputation with platforms like Gmail means phishing emails sent via its domains often bypass spam filters, landing directly in victims’ primary inboxes.
• Ease of Customization: Attackers can easily tailor Zendesk subdomains and portals to closely resemble legitimate company pages, enhancing the credibility of their scams.

Why This Matters

This issue isn’t just about technology—it’s about trust. People trust the brands they interact with online, and platforms like Zendesk are integral to that trust. However, when these platforms are exploited, the consequences can be devastating:

• Financial Loss: Victims of phishing campaigns could lose money directly or through investment scams.
• Data Breaches: Employees and customers could inadvertently expose sensitive information, leading to larger breaches.
• Brand Damage: Companies impersonated in these attacks may suffer reputational harm, losing the trust of their customers.

What Can Be Done

CloudSEK’s experts emphasize the importance of staying vigilant. Here are their top recommendations:

1. Blacklist Suspicious Subdomains: Organizations should restrict access to unknown Zendesk subdomains and implement robust URL monitoring tools.
2. Use Advanced Threat Detection Tools: CloudSEK’s XVigil platform helps businesses detect and respond to phishing domains impersonating their brand, enabling swift takedowns and reducing risks.
3. Educate Employees and Customers: Awareness is key. Companies should regularly train employees and customers on identifying phishing attempts and verifying the authenticity of links.
4. Enforce Verification Protocols: Zendesk and similar platforms should implement stricter verification processes to ensure only legitimate users can create subdomains.

“Zendesk’s subdomain flexibility, while convenient, can be a double-edged sword. Threat actors can misuse it to mimic trusted brands, making phishing attacks more convincing and damaging, leading to financial loss and a breach of trust for businesses and their customers,” said Noel  Varghese, Cybersecurity Researcher, CloudSEK.

About CloudSEK

CloudSEK is a contextual AI company that predicts Cyber Threats. Our Cloud SaaS platform constantly seeks security solutions for our customers’ digital risks.

To learn more about how CloudSEK can strengthen your external security posture and deliver value from Day One, visit https://cloudsek.com or drop a note to info@cloudsek.com