Scattered Lapsus$ Hunters targeted Zendesk users through more than 40 fake domains designed to steal credentials and install malware, security researchers said.
The fake domains, registered over the past six months, had the same setup as the one used in the cybercrime group’s August attack on Salesforce, according to a blog post published this week by ReliaQuest researchers who discovered the campaign. This suggests that the group shifted its focus to Zendesk, a customer support platform used by over 100,000 organizations.
Some domains, like znedesk[.]com and vpn-zendesk[.]com, hosted fake login pages that looked like real Zendesk sign-on screens, ReliaQuest said. Others incorporated company names in the web address to make the sites appear legitimate. “We also identified Zendesk-related impersonating domains that contained multiple different organizations’ names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links,” the researchers wrote.
