Cybercriminals have found a niche in Zendesk’s ticket submission course of and are utilizing it to bombard victims with waves of deceptive help messages.
When configured to just accept nameless requests, nevertheless, the service might be abused to generate electronic mail floods that seem to come back from official company domains.
Earlier this week, safety blogger Brian Krebs was the goal of this marketing campaign, receiving 1000’s of rapid-fire electronic mail alerts from greater than 100 completely different Zendesk prospects.
The flood included notifications supposedly despatched by well-known manufacturers reminiscent of NordVPN, CompTIA, Tinder, The Washington Put up, Discord, GMAC, and CapCom, as reported by KrebsOnSecurity.
Every alert bore the branding and reply-to deal with of the client, making it nearly unattainable to differentiate the spam from real ticket notifications.
Nameless ticket creation allows mass impersonation
In keeping with Zendesk communications director Carolyn Camoens, the platform permits some prospects to just accept help requests with out prior verification.
“All these help tickets might be a part of a buyer’s workflow, the place a previous verification isn’t required to permit them to interact and make use of the Help capabilities,” she defined.
Corporations might select this setting to cut back friction for customers, however it additionally means anybody can specify any electronic mail deal with and topic line when opening a brand new ticket.
By combining nameless submission with the auto-responder set off for ticket creation, attackers can craft their very own topic strains and drive Zendesk to ship affirmation messages from the client’s area.
Victims see official company branding and a well-known reply-to deal with, reminiscent of assist@washpost.com, although the message was generated by a malicious actor.
Replies to those messages return to the official buyer help inbox, spreading the phantasm of a sound help case.
“We acknowledge that our methods have been leveraged towards you in a distributed, many-against-one method,” mentioned Camoens.
Zendesk is now investigating extra safeguards and advising prospects to undertake authenticated ticket workflows that require customers to confirm their electronic mail addresses earlier than auto-responders are triggered.
Till extra strong measures are in place, Zendesk prospects are urged to regulate their settings to dam nameless ticket creation or to require verification steps reminiscent of electronic mail confirmations or CAPTCHA challenges.
Failing to validate requesters opens the door to spammers and perceived authorized threats that may tarnish an organization’s popularity and overwhelm inboxes.
This abuse highlights how automated help instruments, when misconfigured, can turn out to be a robust instrument for harassment.
Organizations utilizing Zendesk and comparable platforms ought to overview their ticket submission insurance policies right this moment to forestall ne’er-do-wells from weaponizing their very own methods towards unsuspecting recipients.
Observe us on Google Information, LinkedIn, and X to Get Instantaneous Updates and Set GBH as a Most well-liked Supply in Google.
