The Support Trap: How Hackers Turned Zendesk Into a Global Spam Engine

Since mid-January, a global surge of erratic electronic correspondence has provoked widespread consternation among users. The catalyst for this deluge was a vulnerability within the Zendesk customer support infrastructure, which malevolent actors subverted into an instrument for extensive spam dissemination.

The inaugural wave of this digital inundation was documented on January 18. Recipients reported receiving hundreds of missives with subjects ranging from the alarmist to the absurd—invoking “URGENT LAW ENFORCEMENT INQUIRIES,” promises of “FREE DISCORD NITRO,” or desperate pleas for “HELP!”

Certain subject lines were embellished with decorative multilingual characters, further amplifying the sense of chaotic disruption. Notably, these communications appeared devoid of malicious hyperlinks or overt phishing stratagems; their primary objective seemed to be the disorientation and irritation of the populace.

The crux of the exploit lies in a systemic configuration within Zendesk that permits the submission of support tickets without prior email verification. Exploiting this oversight, anonymous entities populated support forms using the identities of random individuals. Consequently, the service automatically dispatched “ticket received” notifications to the unwitting victims. This lack of verification, coupled with unrestrained automation, allowed for a massive mailing campaign to be subsidized by legitimate corporate support systems.

The fallout impacted the clientele of dozens of prominent organizations, including Discord, Tinder, Riot Games, Dropbox, CD Projekt, Maya Mobile, NordVPN, as well as governmental bodies like the Tennessee Department of Labor and Workforce Development. Educational platforms like Kahoot, wellness services like Headspace, and urban mobility firms such as Lime were similarly affected. Entities like Dropbox and 2K have formally acknowledged the incident, reassuring their users that systemic integrity remains uncompromised.

2K elucidated that their support architecture allows for submissions without registration to streamline feedback, yet clarified that inquiries involving sensitive account data are never processed without rigorous verification. In response to the crisis, Zendesk has fortified its defensive posture. The corporation announced bolstered activity monitoring and the implementation of restrictive measures to facilitate the rapid identification of spamming attempts. Furthermore, they reminded administrators of their prerogative to restrict ticket creation exclusively to authenticated users, thereby neutralizing the ability to designate arbitrary subjects and recipient addresses.