Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in Action

Latest News on Zendesk Phishing Vulnerability and Subdomain Registration Exploitation
As of January 2025, there have been significant concerns raised about the vulnerability of Zendesk's SaaS infrastructure to phishing campaigns and “pig butchering” scams. Here are the key points from recent reports:
Vulnerability in Zendesk's SaaS Infrastructure
A study by CloudSek has revealed that Zendesk's free trial offer is being exploited by scammers and hackers. The attackers are using the free trial to register subdomains that mimic the names of genuine brands, creating convincing interfaces for phishing, data theft, and financial fraud13.
Phishing Campaigns
The attackers register Zendesk accounts using subdomains that appear legitimate by combining the impersonated brand’s name with numbers. This allows them to send phishing emails disguised as legitimate ticket notifications. Here’s a step-by-step breakdown of how the scam works:
- Zendesk Account Setup: Attackers register a Zendesk account using a subdomain that mimics the target company’s name.
- Fake Subdomain Creation: With admin access, attackers invite users and send phishing emails.
- Phishing Setup: Invitations include links to phishing pages pretending to be support tickets.
- Data Collection: Tools like RocketReach are used to gather employee email addresses for targeted phishing.
- Exploitation: Zendesk’s lack of email verification allows attackers to send phishing links to any added email address1.
Pig Butchering Scams
Although there are no reported instances of Zendesk being targeted by pig butchering scams, the vulnerability in its infrastructure makes it susceptible. Pig butchering scams involve building trust with targets before tricking them into fake investments and disappearing with their money. CloudSek demonstrated how such a scam could exploit Zendesk’s infrastructure by creating fake subdomains and phishing pages1.
Security Concerns and Recommendations
The report highlights several security concerns:
- Email Correspondence: Phishing emails from attacker-controlled Zendesk domains land in the Primary Inbox instead of being marked as spam, posing a significant risk.
- Lack of Validation: Tickets can be assigned to both corporate and non-corporate email accounts without validation, allowing attackers to target anyone with emails from the spoofed Zendesk domain1.
To combat these threats, CloudSek recommends:
- Blacklist Unknown Zendesk Instances: Restrict access to unverified Zendesk login pages.
- Leverage Detection Tools: Use tools like XVigil’s Fake URLs & Phishing Submodule to identify and alert on suspicious Zendesk subdomains.
- Employee Awareness and Training: Educate employees about phishing tactics and warn them against scams posing as customer support or investment schemes1.
Historical Context and Relevance
This vulnerability follows another recent security issue with Zendesk, where a 15-year-old ethical hacker exposed a weakness in Zendesk’s email system, allowing unauthorized access to sensitive customer data. This previous exploit involved email spoofing and highlighted the simplicity and severity of the vulnerabilities in Zendesk’s infrastructure1.
Conclusion
The exploitation of Zendesk's SaaS infrastructure for phishing and potential pig butchering scams is a significant concern, emphasizing the need for enhanced security measures and employee awareness. The recommendations provided by CloudSek are crucial in mitigating these risks and protecting both the company and its customers from data breaches and financial losses.
For more detailed information, you can refer to the CloudSek report and the associated blog posts13.