Hackers are abusing Zendesk to run brand impersonation scams

Researchers claim Zendesk isn't thoroughly vetting who's registering new accounts.

Jan 21, 2025 - 15:12

Security researchers from CloudSEK observed hackers running pig butchering scams
They're impersonating legitimate businesses through Zendesk's services
The researchers said Zendesk's vetting system isn't thorough enough

A new report from cybersecurity researchers CloudSEK has found that cybercriminals are abusing Zendesk to run brand impersonation scams, with hackers abusing simple Zendesk features to engage in “pig butchering” scams and trick people out of their money.

Zendesk is a customer service and engagement platform that helps businesses manage customer interactions across various communication channels.

The platform allows users to register free trial accounts which, in turn, grant the ability to create subdomains, unfortunately allowing criminals to abuse it at scale.

Pig butchering

First, they would create a fake subdomain, mimicking a legitimate company, which would be used to send phishing emails pretending to be actual customer support communication.

Since Zendesk is a legitimate company, the emails often make it past spam filters and, disguised using accurate branding, land right into people’s inboxes. The emails apparently carry an image hyperlinked to a phishing page, where the scam continues.

The goal of the scam is to get people investing in a fake investment platform or support page - a staple of pig butchering scams. The ruse is designed to last as long as possible, draining money from the victim until they realize they’ve been defrauded.

The problem, according to CloudSEK, is that Zendesk doesn’t perform thorough email validation when adding users to subdomains. “This oversight allows attackers to target employees or customers with phishing attempts masked as legitimate ticket assignments,” the researchers said.

Zendesk has been informed of the flaw and its potential for misuse, following CloudSEK's responsible disclosure policy, CloudSEK concluded. We have reached out to the company and will update the article if we hear back.