Uncovered: Typosquatted Domains Linked to Suspected Ransomware Group Campaign
A Western cybercrime collective largely comprised of teenagers, tied to disruptions of major firms, appears to be gearing up for a fresh round of large-scale attacks.
See Also: Traditional M365 Data Protection No Longer Enough
More than 40 “typosquatted and impersonating domains” have been discovered, designed to mimic legitimate Zendesk URLs, and which apparently trace to the hacking collective lately calling itself Scattered Lapsus$ Hunters, says a report from cybersecurity firm ReliaQuest.
The typosquatted domains have debuted over the last six months and lead to phishing pages that feature bogus single sign-on portals for Zendesk, designed to steal legitimate authentication credentials for accessing the customer service and sales platform. “These domains, such as znedesk.com or vpn-zendesk.com, are clearly designed to mimic legitimate Zendesk environments,” it said.
Based on the tactics being used as well as focus, the researchers attribute the Zendesk user-targeting campaign to Scattered Lapsus$ Hunters.
“The elements are reminiscent of the recent Scattered Lapsus$ Hunters campaign that targeted customer relationship management platform Salesforce in August. The domains we uncovered while investigating the August campaign shared similarities with the Zendesk domains,” ReliaQuest said (see: Ransomware Group Debuts Salesforce Customer Data Leak Site).
The loosely knit cybercrime group is a spinoff of the collective known as “The Community” or “The Com,” and largely consists of adolescent hackers based in the West, experts say. Many of the group’s members – largely comprised of native English language speakers – have proven themselves to be adept at social engineering, including tricking help desk staff, allowing them to reset passwords, bypass multi-factor authentication checks and gain access to a victim’s environment.
Customer data stores remain another one of the group’s repeat targets. In the August campaign, the attackers stole OAuth tokens from Salesloft, used to integrate its Drift Email AI chatbot software with Salesforce. The criminals employed the stolen tokens to steal data from 760 different organizations that integrated their Salesloft software with their Salesforce instances.
More recently, the Scattered Lapsus$ Hunters subgroup Shiny Hunters claimed credit for stealing data from Salesforce instances, in an attack that traced to the targeting of data management tool Gainsight, again using stolen access tokens. In that campaign, 300 organizations appear to have fallen victim (see: Salesforce Details Supply Chain Attack Targeting Gainsight).
On Nov. 5, an apparent member of the cybercrime group claimed in a post to social platform X that the it had at least three or four other major campaigns underway.
These aren’t the first attacks targeting Zendesk customers to recently come to light. On Nov. 1, Arda Büyükkaya, a cyber threat intelligence analyst at EclecticIQ, detailed how 600 different domain names registered with the .dev top-level domain managed by Google Registry were “using typosquatting to impersonate customer support portals for well-known brands,” including Cloudflare and Zendesk.
“Their primary intent is to obtain remote access to steal sensitive data and account credentials, ultimately enabling financially motivated account takeover and fraud,” he said.
The typosquatted sites’ contents appeared to have been AI-generated, and included “an embedded live chat interface, staffed by a human operator who asks victims’ phone number and email address under the pretext of providing technical assistance,” after which the attacker attempts to trick the victim into installing legitimate remote monitoring software, which grants the attacker “full remote access to the device,” Büyükkaya said.
His discovery followed Discord in September saying hackers targeted its Zendesk-based support system. The hackers claimed to have stolen sensitive user data, including names, email addresses, billing information, IP addresses, and government-issued IDs, reported Bleeping Computer.
ReliaQuest said it’s likely that “the Zendesk-related infrastructure we’ve uncovered is part of one of these campaigns,” and advised organizations to beware further attacks by Scattered Lapsus$ Hunters that target CRM and customer support systems in the coming months.
