Advertise with Us
CybersecurityUpdate

The Help Desk Hangover: How Elite Hackers Are Weaponizing Corporate Support Portals

A sophisticated cyber espionage campaign by Scattered Spider and USD Hunters is targeting Zendesk users through SEO poisoning and fake support sites. This deep dive explores how attackers are weaponizing help desk portals to bypass MFA, the evolution of these threat actors, and the urgent need for FIDO2 implementation.
The Help Desk Hangover: How Elite Hackers Are Weaponizing Corporate Support Portals
Written by Ava Callegari
Friday, November 28, 2025

In the quiet corners of corporate infrastructure, the customer support portal has long been viewed as a benign utility—a digital suggestion box rather than a fortress requiring heavy fortification. However, a sophisticated wave of cyber espionage is currently upending this assumption, turning the very tools designed to assist users into high-velocity on-ramps for intrusion. A new alignment of threat actors, including the notorious Scattered Spider and a group identifying as USD Hunters, has launched a precision campaign targeting users of Zendesk, one of the world’s most ubiquitous customer service platforms.

The campaign represents a shift in high-stakes cybercrime, moving away from the brute-force cracking of firewalls toward the manipulation of human trust and search engine algorithms. According to a recent analysis by TechRadar, these attackers are deploying a complex network of fake support sites and phishing pages designed to mimic Zendesk’s authentication portals down to the pixel. By compromising these entry points, adversaries gain unrestricted access to ticketing systems, which often house sensitive customer data, internal communications, and the keys to lateral movement within a corporate network.

The Mechanics of the Modern Masquerade

The attack vector relies heavily on a technique known as SEO poisoning, or search engine optimization manipulation. Rather than waiting for a victim to make a mistake, these hackers proactively place their traps where employees are most likely to look for help: Google search results. When an IT administrator or support agent encounters a login issue and searches for “Zendesk support” or “Zendesk login,” they are increasingly likely to encounter a malicious advertisement or a high-ranking organic search result that leads to a fraudulent domain. These sites are engineered to look identical to the legitimate service, leveraging typosquatting domains that differ from the real URL by a single, easily missed character.

Once the victim lands on the spoofed page, the site executes a series of scripts designed to harvest credentials and, in many cases, bypass multi-factor authentication (MFA). Security researchers note that these campaigns are not merely passive phishing nets; they are active, real-time interceptions. The attackers often utilize adversary-in-the-middle (AiTM) toolkits that capture the session token generated after a user inputs their MFA code. This allows the threat actor to replay the session and gain access to the real account immediately, effectively rendering standard MFA protections null and void.

A Genealogy of Chaos: From Lapsus$ to Scattered Spider

To understand the severity of this threat, one must look at the pedigree of the attackers involved. The tactics observed in the Zendesk campaign bear the distinct fingerprints of Scattered Spider (also tracked as UNC3944), a group that has rapidly ascended the hierarchy of cybercrime. Known for their aggressive social engineering and fluency in Western corporate culture, Scattered Spider shares a lineage and tactical playbook with the now-infamous Lapsus$ group. While Lapsus$ was characterized by chaotic, ego-driven breaches of major technology firms, Scattered Spider has professionalized these methods, applying a level of operational discipline that makes them significantly more dangerous to enterprise environments.

The involvement of a group calling themselves “USD Hunters” suggests a further segmentation and specialization within this criminal ecosystem. While Scattered Spider often focuses on high-level intrusion and data extortion, subgroups like USD Hunters appear to be financially motivated specialists, focusing on the monetization of access. The collaboration or overlap between these entities indicates a maturing illicit market where access brokers, social engineers, and ransomware operators coordinate to maximize the yield from a single compromised identity.

The SEO Poisoning Playbook and Malvertising

The reliance on “malvertising”—malicious advertising—is a critical component of this strategy because it bypasses the traditional email security gateway. Corporate defenses have spent decades perfecting the art of filtering phishing emails, but they have comparatively little visibility into the browser interactions of employees searching the open web. By purchasing legitimate ad space on search engines, attackers can guarantee their fraudulent links appear above the legitimate Zendesk links, exploiting the inherent trust users place in top-tier search results.

This method is particularly effective because it targets the user at a moment of frustration or urgency. An employee searching for support is likely trying to resolve a problem quickly, reducing their cognitive load and attention to detail. The fake sites often employ obfuscation techniques to hide their true nature from automated web crawlers used by security firms, revealing the phishing forms only when a real human visitor is detected. This “cloaking” technique allows the malicious infrastructure to remain active for days or weeks before being flagged and taken down.

The Asset Value of a Help Desk Ticket

Why target Zendesk? To the uninitiated, a help desk account might seem like a low-value target compared to a domain controller or a financial database. However, for industry insiders, the logic is terrifyingly sound. Support portals are repositories of trust. They contain deep histories of customer interactions, personally identifiable information (PII), and often, technical details about the customer’s own infrastructure. A compromised support agent’s account can be used to launch supply-chain attacks, sending malicious links or files to customers from a trusted “support” email address.

Furthermore, these platforms often integrate with other enterprise applications such as Slack, Jira, and Salesforce. A breach in the support portal can provide the toehold necessary to pivot laterally into these connected systems. The attackers are not just stealing login credentials; they are stealing the identity of the support organization itself, allowing them to bypass suspicion and operate behind the perimeter with the privileges of a trusted insider.

Blind Spots in Browser Security

The success of the Scattered Spider and USD Hunters campaign highlights a glaring gap in the current enterprise defense posture: the browser. While endpoint detection and response (EDR) tools monitor processes running on the operating system, they often lack visibility into the rendering of web pages. When a user voluntarily hands over credentials to a website that looks legitimate, the EDR sees no malware, no exploit, and no anomaly. It sees standard user behavior.

This invisibility is compounded by the widespread use of “Bring Your Own Device” (BYOD) policies and remote work, where the strict web filtering of the corporate office is replaced by the open internet of a home network. The attackers are acutely aware of this, timing their campaigns to coincide with business hours in specific time zones to catch remote workers who may be troubleshooting connectivity issues without immediate access to internal IT support.

Fortifying the Human Firewall

Mitigating this threat requires a departure from reliance on standard MFA and user training. While security awareness is essential, the sophistication of modern clone sites means that even vigilant users can be deceived. The industry is increasingly moving toward FIDO2-compliant hardware security keys, which are resistant to relay attacks. Because FIDO2 protocols cryptographically bind the login attempt to the specific domain (e.g., zendesk.com), a fake site hosted on a different domain cannot successfully request the authentication token, regardless of how visually perfect the deception is.

Additionally, organizations must aggressively monitor for lookalike domains. Brand protection services that scan newly registered domains for trademark infringements are becoming a standard requirement for SaaS-heavy enterprises. Detecting a domain like “zendesk-support-portal[.]com” within hours of its registration allows security teams to block the URL at the DNS level before a single employee has the chance to click on it. In the ongoing battle against groups like Scattered Spider, speed and preemptive blocking are the only metrics that matter.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us
About Us

WebProNews is a leading publisher of business and technology email newsletters and websites.

Reach our audience
Publication Categories
WebProNews is an iEntry Publication
©2025 iEntry, Inc. All rights reserved. Privacy Policy | Legal | Contact Us |