Fast Facts

• Over 40 fake domains mimicking Zendesk were registered in just six months.
• Attackers use typosquatting and phishing to steal credentials and spread malware.
• Fraudulent support tickets are sent to real Zendesk portals to trick staff.
• Campaign is linked to the Scattered Lapsus$ Hunters, infamous for previous SaaS platform breaches.
• Experts urge organizations to treat customer support tools as critical infrastructure.

Attackers Go After the Digital Front Desk

Imagine walking into your favorite store, only to find the staff replaced by clever impersonators ready to swipe your credit card. That’s the scenario unfolding online as Scattered Lapsus$ Hunters, a notorious cybercrime group, targets Zendesk users by building a shadowy network of lookalike websites and fake help desks.

ReliaQuest’s threat research team recently uncovered more than 40 domains designed to mimic genuine Zendesk environments. These copycat sites - such as znedesk.com and vpn-zendesk.com - aren’t just misspellings; they’re digital trapdoors, built to snare unwary employees and customers with phishing pages that expertly fake Zendesk’s login screens. The goal: harvest credentials, deploy malware, and worm into company networks.

A Familiar Playbook, A New Target

The operation isn’t just about fake websites. Researchers also found evidence of attackers submitting fraudulent tickets to legitimate Zendesk portals, hoping to trick support staff with urgent requests or password resets. These tickets often carry malicious attachments or links, acting as Trojan horses that can smuggle remote access trojans (RATs) and other malware into organizations.

This is not the Hunters’ first rodeo. In 2025, they targeted Salesforce with a similar blend of typosquatting and phishing, and breached Discord’s Zendesk-based support system, exposing sensitive user data. Their pattern is clear: exploit widely used SaaS (Software-as-a-Service) platforms that sit at the heart of customer relationships but often receive less security attention than core business systems.

Why Customer Support Platforms Are Under Fire

Customer support tools like Zendesk are digital switchboards, connecting companies to millions of users. But their very accessibility makes them a juicy target. If attackers can compromise these systems, they gain the keys to a treasure trove of customer data and internal credentials, often with surprising ease.

The Scattered Lapsus$ Hunters’ latest campaign is part of a broader trend: cybercriminals increasingly see SaaS platforms as weak links in the supply chain. As the group taunted on Telegram, more attacks are coming, especially during holidays when staff vigilance is low. The risks extend beyond Zendesk - platforms like Gainsight, Salesforce, and Drift have all been in the crosshairs.

Raising the Alarm: Defending the Digital Help Desk

Experts recommend treating customer support platforms with the same care as financial or HR systems. That means enforcing strong two-factor authentication (preferably with hardware keys), monitoring for suspicious domains, and limiting who can receive direct messages through support channels. Proactive content filtering and domain monitoring can help spot phishing attempts before they reach unsuspecting employees.

WIKICROOK

• Typosquatting: Typosquatting is when attackers use lookalike names of trusted sites or software to trick users into visiting fake sites or downloading malware.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• SaaS (Software: SaaS (Software as a Service) delivers cloud-hosted applications over the internet, letting users access software without local installation or maintenance.
• Credential Harvesting: Credential harvesting is the theft of login details, such as usernames and passwords, often through fake websites or deceptive emails.