Email Bombs Exploit Lax Authentication In Zendesk

Cybercriminals are exploiting weak email authentication settings in Zendesk, using the platform's customer support systems to bombard targets with thousands of spam and harassing messages that appear to come from legitimate companies like The Washington Post, Discord, and NordVPN. KrebsOnSecurity reports: Zendesk is an automated help desk service designed to make it simple for people to contact companies for customer support issues. Earlier this week, KrebsOnSecurity started receiving thousands of ticket creation notification messages through Zendesk in rapid succession, each bearing the name of different Zendesk customers, such as CapCom, CompTIA, Discord, GMAC, NordVPN, The Washington Post, and Tinder.

The abusive missives sent via Zendesk's platform can include any subject line chosen by the abusers. In my case, the messages variously warned about a supposed law enforcement investigation involving KrebsOnSecurity.com, or else contained personal insults. Moreover, the automated messages that are sent out from this type of abuse all come from customer domain names -- not from Zendesk. [...]

In all of the cases above, the messaging abuse would not have been possible if Zendesk customers validated support request email addresses prior to sending responses. Failing to do so may make it easier for Zendesk clients to handle customer support requests, but it also allows ne'er-do-wells to sully the sender's brand in service of disruptive and malicious email floods. "We recognize that our systems were leveraged against you in a distributed, many-against-one manner," said Carolyn Camoens, communications director at Zendesk. "We are actively investigating additional preventive measures. We are also advising customers experiencing this type of activity to follow our general security best practices and configure an authenticated ticket creation workflow."

Got one from discord support.

[BuckDutter]

Seems like it's affecting a lot of people, same story, a message about a LE investigation.

Re:

[Entrope]

I noticed a rash of these in my spam box a few days ago. The email bodies had lots of fixed content that made it pretty clear that some support system was getting abused, but it wasn't obvious exactly what the cause was.

CompTIA? Securityâ"!

[HnT]

Big Security minus minus

Re:

[phantomfive]

CompTIA: another for the list of, "I can't believe that company is still around."

Ameteurish

[abulafia]

This pattern gets rediscovered every so often, I'm really surprised Zendesk doesn't have mitigations. They have to have seen this before.

This used to happen to self-hosted bugtrackers and some other types of apps, too. Anywhere you want to be able to send mail to arbitrary groups of people.

Opt-in is not just a good idea. Zendesk may not want more UI friction, but the alternative is going to be blocking them - if you can't control your mail servers, I am not going to accept mail from you.

Outsourcing is just evil

[david.emery]

The companies using Zendesk should be liable for the sins committed by Zendesk on their behalf! And then they can go back and sue Zendesk for causing the underlying problem.

Re:

[gweihir]

Yes. But obviously IT liability is fundamentally broken because the really big players (Microsoft, etc.) make deeply flawed products they get incredibly rich on. Hence the last thing they want is being held to account for their incompetence and abuse of their customers. And that holds back the whole industry and prevents it from finally getting some level of maturity.

Incidentally, no other engineering discipline ever reached maturity without real liability and strong regulation. The MBA assholes just cannot

LAX Security Bypass

[kurt_cordial]

The whole planet has migrated to passkeys (Windows, Meta...) so why didn't they set their computer as the passwordless device? Or ask their son-in-law? The computer is the physical authenticity. Laptop scandal much?