"Researchers say they found more than 40 typosquatted and impersonation domains - names like "znedesk.com" or "vpn-zendesk.com" - designed to mirror Zendesk's portals over the past six months. Some host fake single sign-on (SSO) pages aimed at harvesting credentials, while others are used to submit fraudulent tickets to helpdesk staff. All share common registration hallmarks - the same registrar (NiceNic), US or UK contact details, and Cloudflare-masked nameservers - a profile almost identical to that of a previous impersonation campaign targeting Salesforce."
"This is more than phishing noise. According to ReliaQuest, the attackers appear to be chaining support interface impersonation with targeted intrusions, submitting malicious tickets to legitimate Zendesk portals operated by real organizations, potentially dropping remote-access trojans (RATs) directly onto agents' machines. Once inside, they could pivot across corporate networks, quietly looting intellectual property or sensitive data. These findings add uncomfortable context to the September 2025 Discord breach,"
More than 40 typosquatted and impersonation domains such as "znedesk.com" and "vpn-zendesk.com" were created to mirror Zendesk portals over six months. Some domains host fake single sign-on pages to harvest credentials; others submit fraudulent tickets to helpdesk staff. The domains share registration hallmarks: the NiceNic registrar, US or UK contact details, and Cloudflare-masked nameservers, a profile closely matching a previous Salesforce impersonation campaign. Attackers chain support-interface impersonation with targeted intrusions, using malicious tickets to drop remote-access trojans (RATs) onto agents' machines and then pivot across corporate networks to steal intellectual property or sensitive data. The September 2025 Discord Zendesk breach involved large-scale data exfiltration of user records.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]