Overview
- Researchers identified more than 40 impersonation domains over the past six months, including znedesk.com and vpn-zendesk.com, with common traits such as NiceNic registration, US/UK contact details and Cloudflare‑masked nameservers.
- Several sites host fake single sign-on pages while attackers also submit crafted support tickets intended to harvest credentials or deliver remote access trojans to help‑desk agents.
- ReliaQuest says the tactics mirror an August 2025 campaign against Salesforce, pointing to Scattered Lapsus$ Hunters as a likely source while noting copycat activity is possible.
- Discord’s Zendesk-based support system was compromised earlier, with the company saying about 70,000 users may have had government ID images exposed, as separate claims of roughly 2.1 million images remain unverified.
- Vendors urge immediate hardening of Zendesk deployments, including hardware-backed MFA, IP allowlisting, session timeouts, domain monitoring, DNS filtering and tighter chat controls.