Scam
5
mins read

Facilitating Phishing and Pig Butchering Activities using Zendesk Infrastructure [Bait & Switch Mode]

Phishing campaigns and "pig butchering" scams have increasingly exploited Zendesk's SaaS infrastructure, leveraging its free trial subdomains to mimic legitimate brands and deceive unsuspecting users. By registering subdomains with brand-like names, attackers create authentic-looking interfaces to facilitate phishing, data theft, and financial fraud. This misuse is compounded by B2B marketing tools that assist in gathering employee emails, and by Zendesk's lack of email verification for ticket assignments, which allows phishing emails to bypass spam filters. To mitigate these risks, organizations must implement proactive measures such as blacklisting unknown Zendesk instances, utilizing detection tools like XVigil, and educating employees about phishing tactics.

January 20, 2025
Green Alert
Last Update posted on
January 20, 2025
Don't let your brand be used to trap users through fake URLs and phishing pages

Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Noel Varghese
Analyst Note
Analyst Note:
This report is strictly being circulated as an advisory, for organizations' awareness and can help in the future, provided that the newly populated domains are blocked or taken down. Actioning on any unrecognized Zendesk Instance should solely be done on discretion, and after thorough checks - confirming that customer facing operations are not disrupted.
CloudSEK has responsibly disclosed this flaw to Zendesk, to possibly look into the issue and to provide a suitable mitigation for the same.

Executive Summary

Zendesk allows a user to sign up for a free trial of their SaaS platform, allowing registration of a subdomain, that could be misused to impersonate a target. Several clients have been alerted to such suspicious domains in the past 6 months, through XVigil’s Fake URL’s & Phishing Submodule. These targeted subdomains have used a combination of keywords related to the impersonating brand’s name and a string of numbers to appear legitimate to unsuspecting users.

However, in this report, we will be exploring how these Zendesk domains can be used as a bait for possibly facilitating Investment Scams, through Pig Butchering. Please note that we have not seen active campaigns utilizing this method, but it is an attack technique that we would like to explore and demonstrate.

Analysis

Since 2023, XVigil has captured 1,912 instances of Zendesk websites - based on client keyword match. With there being cases of legitimate instances being used by corporations to communicate with customers, more than often we have seen 5 or more instances being registered for a company at various time periods. A breakdown based on industry has been provided below for context.

Figure 1 - Pie Chart of breakdown of Zendesk Instances by Industry

Demonstration of a possible Phishing Attack attempt against XYZ Company, using Zendesk as Infrastructure, aided with another Fake Domain propagating Pig Butchering Scams

1. A user signs up on Zendesk, in the pretense of registering a URL Address that mimics the target company. The details sought by Zendesk upon registration are:-

  • Working Email Address
  • Name
  • Company Size

2. Once the details are provided, an option to name the Zendesk instance is put forward, allowing an actor to choose a subdomain that bears resemblance to the target company.

Figure 2 - Screen asking the user to select a subdomain name

Figure 3 - Email Verification Email

3. After registering the subdomain (from CloudSEK’s demonstration case), the landing page appeared like this

Figures 4 & 5 - Splash Screen edited by CloudSEK Analyst to create and impersonate a Zendesk Subdomain impersonating Acme Corporation

4. Upon registering the subdomain, the user has admin access to the subdomain and can add users as ‘users’ to the portal. An invitation mail is sent, by doing so.

Figure 6 - Zendesk form to invite user

Figure 7 - Invitation Mail that was received on a Gmail Account used for demonstration purposes

5. Threat actors will then try to test the waters, after sending an invitation mail and may then link active phishing pages, in the pretense of assigning tickets to the invited user.

Figure 8 - Linking a phishing page using image screengrab. A ticket was assigned to the demo account, with suitable social engineering keywords requesting for prompt attention

6. With the existence of B2B Marketing tools like RocketReach, Apollo and other Sales Intelligence Platforms, it’s been easy to scourge for employee Email ID’s, belonging to an organization. This, aided with bait pushed by threat actors sensing potential for successful phish attempts make Zendesk, aided with phishing pages to appear legitimate to the common user. 

Zendesk does not conduct email checks to invite users. Which means that any random account can be added as a member. Phishing pages can be sent, in the guise of tickets assigned to the email address.

In the screenshots provided below, a disposable email address was picked and added to the members list, as a Zendesk ticket recipient (end user). The address was able to receive the phishing page, received under the guise of a ticket assignment.

Figures 9 & 10  - Zendesk Member List and received email

Observations:-

  • All email correspondence (tickets) landing on the Primary Inbox, instead of being marked as spam. This is pretty worrisome, as employees can mistake orchestrated campaigns of similar vein to be circulated by a trusted authority - such as their place of employment. There are different variants of orchestrating the scam using the same yarn, however this is just a scenario that we would like to demonstrate.
  • Email Reputation - With Google treating all Zendesk related correspondence to be of trustworthy nature, these eventually land on the Primary Inbox. Additionally, tickets can be assigned to both corporate and non-corporate email accounts (meaning that no validation is carried out) and that anyone can be sent mails from the attacker controlled Zendesk domain.

                    Figure 11  - Personalizing the Zendesk Help Center page that further lends authenticity to the scam orchestration

Impact:

  • Data Theft and Financial Loss: Phishing campaigns targeting Zendesk users can lead to credential theft, unauthorized access to customer information, and potential financial loss, especially if phishers gain access to sensitive customer data through fake Zendesk forms or impersonated support agents.
  • Legal and Compliance Risks: Companies impacted by phishing attacks, especially in regulated industries, may face legal liabilities and compliance penalties if customer data is exposed or mishandled through phishing channels impersonating Zendesk.

Recommendations:

  • Blacklist unknown Zendesk instances: This will prevent employees from accessing any Zendesk based login page impersonating companies. 
  • Usage of XVigil’s Fake URL’s & Phishing Submodule : XVigil has helped detect and alert possible attempts of Zendesk based subdomains impersonating companies. Vigilance and constant triaging from the submodule will help avert any outward incident from happening, with proactive takedown activities
  • Customer Awareness and Education: Educating employees as well as warning them about common phishing tactics, can reduce the likelihood of them falling for phishing emails impersonating customer support or investment schemes.

References

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Scam

5

min read

Facilitating Phishing and Pig Butchering Activities using Zendesk Infrastructure [Bait & Switch Mode]

Phishing campaigns and "pig butchering" scams have increasingly exploited Zendesk's SaaS infrastructure, leveraging its free trial subdomains to mimic legitimate brands and deceive unsuspecting users. By registering subdomains with brand-like names, attackers create authentic-looking interfaces to facilitate phishing, data theft, and financial fraud. This misuse is compounded by B2B marketing tools that assist in gathering employee emails, and by Zendesk's lack of email verification for ticket assignments, which allows phishing emails to bypass spam filters. To mitigate these risks, organizations must implement proactive measures such as blacklisting unknown Zendesk instances, utilizing detection tools like XVigil, and educating employees about phishing tactics.

Authors
Co-Authors
Noel Varghese
Analyst Note
Analyst Note:
This report is strictly being circulated as an advisory, for organizations' awareness and can help in the future, provided that the newly populated domains are blocked or taken down. Actioning on any unrecognized Zendesk Instance should solely be done on discretion, and after thorough checks - confirming that customer facing operations are not disrupted.
CloudSEK has responsibly disclosed this flaw to Zendesk, to possibly look into the issue and to provide a suitable mitigation for the same.

Executive Summary

Zendesk allows a user to sign up for a free trial of their SaaS platform, allowing registration of a subdomain, that could be misused to impersonate a target. Several clients have been alerted to such suspicious domains in the past 6 months, through XVigil’s Fake URL’s & Phishing Submodule. These targeted subdomains have used a combination of keywords related to the impersonating brand’s name and a string of numbers to appear legitimate to unsuspecting users.

However, in this report, we will be exploring how these Zendesk domains can be used as a bait for possibly facilitating Investment Scams, through Pig Butchering. Please note that we have not seen active campaigns utilizing this method, but it is an attack technique that we would like to explore and demonstrate.

Analysis

Since 2023, XVigil has captured 1,912 instances of Zendesk websites - based on client keyword match. With there being cases of legitimate instances being used by corporations to communicate with customers, more than often we have seen 5 or more instances being registered for a company at various time periods. A breakdown based on industry has been provided below for context.

Figure 1 - Pie Chart of breakdown of Zendesk Instances by Industry

Demonstration of a possible Phishing Attack attempt against XYZ Company, using Zendesk as Infrastructure, aided with another Fake Domain propagating Pig Butchering Scams

1. A user signs up on Zendesk, in the pretense of registering a URL Address that mimics the target company. The details sought by Zendesk upon registration are:-

  • Working Email Address
  • Name
  • Company Size

2. Once the details are provided, an option to name the Zendesk instance is put forward, allowing an actor to choose a subdomain that bears resemblance to the target company.

Figure 2 - Screen asking the user to select a subdomain name

Figure 3 - Email Verification Email

3. After registering the subdomain (from CloudSEK’s demonstration case), the landing page appeared like this

Figures 4 & 5 - Splash Screen edited by CloudSEK Analyst to create and impersonate a Zendesk Subdomain impersonating Acme Corporation

4. Upon registering the subdomain, the user has admin access to the subdomain and can add users as ‘users’ to the portal. An invitation mail is sent, by doing so.

Figure 6 - Zendesk form to invite user

Figure 7 - Invitation Mail that was received on a Gmail Account used for demonstration purposes

5. Threat actors will then try to test the waters, after sending an invitation mail and may then link active phishing pages, in the pretense of assigning tickets to the invited user.

Figure 8 - Linking a phishing page using image screengrab. A ticket was assigned to the demo account, with suitable social engineering keywords requesting for prompt attention

6. With the existence of B2B Marketing tools like RocketReach, Apollo and other Sales Intelligence Platforms, it’s been easy to scourge for employee Email ID’s, belonging to an organization. This, aided with bait pushed by threat actors sensing potential for successful phish attempts make Zendesk, aided with phishing pages to appear legitimate to the common user. 

Zendesk does not conduct email checks to invite users. Which means that any random account can be added as a member. Phishing pages can be sent, in the guise of tickets assigned to the email address.

In the screenshots provided below, a disposable email address was picked and added to the members list, as a Zendesk ticket recipient (end user). The address was able to receive the phishing page, received under the guise of a ticket assignment.

Figures 9 & 10  - Zendesk Member List and received email

Observations:-

  • All email correspondence (tickets) landing on the Primary Inbox, instead of being marked as spam. This is pretty worrisome, as employees can mistake orchestrated campaigns of similar vein to be circulated by a trusted authority - such as their place of employment. There are different variants of orchestrating the scam using the same yarn, however this is just a scenario that we would like to demonstrate.
  • Email Reputation - With Google treating all Zendesk related correspondence to be of trustworthy nature, these eventually land on the Primary Inbox. Additionally, tickets can be assigned to both corporate and non-corporate email accounts (meaning that no validation is carried out) and that anyone can be sent mails from the attacker controlled Zendesk domain.

                    Figure 11  - Personalizing the Zendesk Help Center page that further lends authenticity to the scam orchestration

Impact:

  • Data Theft and Financial Loss: Phishing campaigns targeting Zendesk users can lead to credential theft, unauthorized access to customer information, and potential financial loss, especially if phishers gain access to sensitive customer data through fake Zendesk forms or impersonated support agents.
  • Legal and Compliance Risks: Companies impacted by phishing attacks, especially in regulated industries, may face legal liabilities and compliance penalties if customer data is exposed or mishandled through phishing channels impersonating Zendesk.

Recommendations:

  • Blacklist unknown Zendesk instances: This will prevent employees from accessing any Zendesk based login page impersonating companies. 
  • Usage of XVigil’s Fake URL’s & Phishing Submodule : XVigil has helped detect and alert possible attempts of Zendesk based subdomains impersonating companies. Vigilance and constant triaging from the submodule will help avert any outward incident from happening, with proactive takedown activities
  • Customer Awareness and Education: Educating employees as well as warning them about common phishing tactics, can reduce the likelihood of them falling for phishing emails impersonating customer support or investment schemes.

References