It’s the definition of poor communication.
That’s what security research firm CloudSEK is saying about a vulnerability in Zendesk, a SaaS tool that assists companies in internal and external communication processes.
In a report from Jan. 20, CloudSEK described how attackers can use the tool to infiltrate organizations. Because Zendesk allows users to sign up for free trials, there’s potential for malicious actors to register deceptive subdomains that can trick targets into handing over information. Threat researcher Noel Varghese broke down the plot for IT Brew.
“Threat actors can misuse it in such a way that they can create Zendesk instances that are imitating the name of the company they’re trying to target,” Varghese said. “Since social engineering and phishing attacks are somewhat common these days, they can use it as an additional arsenal in their toolset to land phishing emails to employee mailboxes.”
The mix up. One of the main concerns in the report is that Zendesk’s lack of email verification can make it easy for potential threat actors to create accounts using dummy emails and then dispose of them before using the service. Further, Zendesk drops its tickets into primary inboxes, meaning “employees can mistake orchestrated campaigns of similar vein to be circulated by a trusted authority—such as their place of employment,” according to the report.
CloudSEK disclosed the flaw to Zendesk prior to publishing the report. In an emailed statement, Zendesk Senior Manager of Technology Communications Kaylee Hill told IT Brew that the company “sees no evidence of any active campaigns utilizing the method described in the CloudSEK report.”
“Zendesk actively monitors the creation of accounts to prevent impersonation and immediately removes those that violate our policies,” Hill added.
Check your head. Varghese told IT Brew that CloudSEK’s report was for awareness, not to advise on certain fixes and solutions. The hope, he said, is that both Zendesk and its clients—prospective or current—take precautions to guard against phishing attacks.
“This is a step forward that we are putting forward as a service, as awareness for organizations,” Varghese said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.