Email Bombs Exploit Lax Authentication In Zendesk (krebsonsecurity.com) 11
Cybercriminals are exploiting weak email authentication settings in Zendesk, using the platform's customer support systems to bombard targets with thousands of spam and harassing messages that appear to come from legitimate companies like The Washington Post, Discord, and NordVPN. KrebsOnSecurity reports: Zendesk is an automated help desk service designed to make it simple for people to contact companies for customer support issues. Earlier this week, KrebsOnSecurity started receiving thousands of ticket creation notification messages through Zendesk in rapid succession, each bearing the name of different Zendesk customers, such as CapCom, CompTIA, Discord, GMAC, NordVPN, The Washington Post, and Tinder.
The abusive missives sent via Zendesk's platform can include any subject line chosen by the abusers. In my case, the messages variously warned about a supposed law enforcement investigation involving KrebsOnSecurity.com, or else contained personal insults. Moreover, the automated messages that are sent out from this type of abuse all come from customer domain names -- not from Zendesk. [...]
In all of the cases above, the messaging abuse would not have been possible if Zendesk customers validated support request email addresses prior to sending responses. Failing to do so may make it easier for Zendesk clients to handle customer support requests, but it also allows ne'er-do-wells to sully the sender's brand in service of disruptive and malicious email floods. "We recognize that our systems were leveraged against you in a distributed, many-against-one manner," said Carolyn Camoens, communications director at Zendesk. "We are actively investigating additional preventive measures. We are also advising customers experiencing this type of activity to follow our general security best practices and configure an authenticated ticket creation workflow."
The abusive missives sent via Zendesk's platform can include any subject line chosen by the abusers. In my case, the messages variously warned about a supposed law enforcement investigation involving KrebsOnSecurity.com, or else contained personal insults. Moreover, the automated messages that are sent out from this type of abuse all come from customer domain names -- not from Zendesk. [...]
In all of the cases above, the messaging abuse would not have been possible if Zendesk customers validated support request email addresses prior to sending responses. Failing to do so may make it easier for Zendesk clients to handle customer support requests, but it also allows ne'er-do-wells to sully the sender's brand in service of disruptive and malicious email floods. "We recognize that our systems were leveraged against you in a distributed, many-against-one manner," said Carolyn Camoens, communications director at Zendesk. "We are actively investigating additional preventive measures. We are also advising customers experiencing this type of activity to follow our general security best practices and configure an authenticated ticket creation workflow."
Got one from discord support. (Score:1)
Re: (Score:2)
I noticed a rash of these in my spam box a few days ago. The email bodies had lots of fixed content that made it pretty clear that some support system was getting abused, but it wasn't obvious exactly what the cause was.
CompTIA? Securityâ"! (Score:3)
Big Security minus minus
Re: (Score:3)
Ameteurish (Score:3)
This used to happen to self-hosted bugtrackers and some other types of apps, too. Anywhere you want to be able to send mail to arbitrary groups of people.
Opt-in is not just a good idea. Zendesk may not want more UI friction, but the alternative is going to be blocking them - if you can't control your mail servers, I am not going to accept mail from you.
Outsourcing is just evil (Score:2)
The companies using Zendesk should be liable for the sins committed by Zendesk on their behalf! And then they can go back and sue Zendesk for causing the underlying problem.
Re: (Score:2)
Yes. But obviously IT liability is fundamentally broken because the really big players (Microsoft, etc.) make deeply flawed products they get incredibly rich on. Hence the last thing they want is being held to account for their incompetence and abuse of their customers. And that holds back the whole industry and prevents it from finally getting some level of maturity.
Incidentally, no other engineering discipline ever reached maturity without real liability and strong regulation. The MBA assholes just cannot
LAX Security Bypass (Score:1)
no DANE or RPKI for email (Score:2)
so they did not implement DANE or RPKI
if you delegate you have a serious problem
irony is they use route53 so its a single click solution they just did. not,,,,
silly get on it
also no HSTS and one of your mail servers does not offer STARTTLS (they use google but not the secure DNSSEC settings) and the domain does not have CAA.
faarrk did no one raise this with them ? seems unlikely.... seems like bonus got in the way of security
JJ