Zendesk Incident Demonstrates How “Relay Spam” Can Hit Support Systems, but How Big Is the Risk?

Zendesk made the news recently for being the apparent source of a whole lot of weird spam messages, and this turned out to be due to abuse of a “quality of life” feature meant to make filing support tickets easier. The simplest solution in this case turns out to be for organizations to turn that feature off, but the incident raises questions about the real level of risk that glitches and vulnerabilities in support systems can pose when they are leveraged to abuse a site’s trusted status with security and spam filters.

Odd spam campaign puts spotlight on underlooked ticket system vulnerabilities

The attackers exploited what Zendesk calls a “side effect” of the ease of use of its support systems. Usually, by default, Zendesk clients will be able to have customers create tickets without a login or any other checks, simply providing a return email address for further communication about the ticket. In what is essentially a “relay spam” approach, someone seems to have automated this process to feed ticket requests from known valid email addresses belonging to others.

So how exactly is this an exploit? That’s a very good question. The attackers did not seem to get much out of it, save for alarming and annoying numerous people with a bunch of weird emails. They merely supplied bizarre, possibly randomly generated titles with the support tickets, which were then kicked back to the attached legitimate email address (responding to someone else). It does not appear that they attempted to include malicious URLs or any other attack elements, though there would have been very limited capability to do something like this (if any).

The potential danger of support systems being exploited in this way lies in the fact that the ticket receipt message will originate from a trusted source, thus extremely likely being greenlit right through automated spam and security scanning. But if the ability to attach files or even include a text URL is removed, what can the attackers gain from this? One possibility is that the attack is on the company hosting the support systems, not the individual users; it is essentially an attempted denial of service as hundreds or thousands of seemingly valid tickets are suddenly generated.

The identity of the attacker remains unknown, but similar prior actions by Scattered Lapsus$ Hunters provide another possibility: the attacker “typosquats” similar domain names, and targets helpdesk staff instead of the end users.

Are support systems an underlooked threat vector?

The confusing spam campaign began on August 18 and a number of companies using Zendesk saw these odd messages come from their support systems; these include Discord, Dropbox, and NordVPN.

Zendesk says that it has improved its security to detect attempts to perform this sort of spam attack, but at the organizational end it is fairly easy to cut off by simply restricting ticket creation to verified users only. This does not appear to be on by default with Zendesk’s support systems, with the ability to enter any email address touted as a convenience feature.

Zendesk previously issued a warning about this potential attack vector in December, when a similar spam campaign was attempted and detected. However, it seems that relatively few of its clients opted to make their ticketing systems more restrictive. It does not appear that the Zendesk system would have allowed attachments or URLs to be included, so it is understandable as to why this might be considered an item of low concern; however, not every system of this type is necessarily as guarded.