Zendesk Users Targeted by Scattered Lapsus$ Hunters Hackers and Fake Support Sites

Typosquatting has become a favored vector for cybercriminals targeting SaaS providers, and the recent Zendesk campaign underscores how attackers weaponize brand similarity to harvest credentials. By registering domains that closely resemble official Zendesk URLs, the Scattered Lapsus$ Hunters create convincing phishing portals that lure both end‑users and internal support staff. This approach exploits the trust inherent in help‑desk interactions, where users routinely submit sensitive information to resolve technical issues. The use of NiceNic registrars and Cloudflare’s privacy services further obscures the true ownership of these malicious sites, complicating takedown efforts and attribution.

Beyond domain spoofing, the group’s tactics extend to the submission of fabricated support tickets designed to deliver remote‑access trojans and other malware directly into corporate environments. By masquerading as legitimate internal requests—such as urgent system administration or password resets—the attackers bypass traditional security controls that focus on external threats. This insider‑style attack surface highlights the need for robust verification processes within support teams, including multi‑factor authentication for ticket handling and continuous monitoring for anomalous activity on help‑desk platforms.

The broader implication for enterprises is clear: brand protection and domain monitoring must become integral components of a zero‑trust security strategy. Organizations should proactively scan for look‑alike domains, enforce strict SSO policies, and educate support personnel on phishing indicators specific to help‑desk workflows. As cyber‑crime groups continue to adapt their playbooks, a layered defense that combines technical controls with user awareness will be essential to safeguard the increasingly interconnected SaaS ecosystem.