Dozens. That’s how many corporate giants Google says UNC6783 has hit, swiping Zendesk support tickets like candy from a helpdesk baby’s bowl.
These hackers aren’t breaking vaults. They’re conning business process outsourcers—BPOs, those invisible middlemen handling your customer gripes. One phishing hook into a BPO, and bam: access to high-value targets across sectors. Sensitive data flows out. Extortion emails land via ProtonMail. Pay up, or we spill.
Austin Larsen, Google Threat Intelligence’s principal analyst, nails it:
UNC6783 typically relies on social engineering and phishing campaigns to compromise BPOs working with targeted companies.
Short. Brutal. True. But here’s the kicker—they don’t stop there. Sometimes, they dial straight into the target’s own support staff. Live chat? Spoofed Okta pages mimicking .zendesk-support<##>.com. Clipboard-stealing phishing kits dodge MFA. Suddenly, the bad guy’s device is enrolled. Game over.
How UNC6783 Turns Your Helpdesk into a Liability
Look, BPOs sound efficient—cheaper labor in India or wherever, right? Wrong. They’re a hacker’s dream backdoor. Compromise one, and you’ve got tickets stuffed with PII, employee records, even HackerOne bug reports. Remember Mr. Raccoon? Google’s hinting UNC6783 might be kin to that clown, who bragged about breaching Adobe via another Indian BPO. 13 million tickets. RATs on employee rigs. Phishing the boss next. Crunchyroll fell to the same crew—no proof offered, but the pattern stinks.
And fake security updates? Delivering remote access malware. Classy. Post-theft, it’s ProtonMail shakedowns. No ransomware flair, just straight cash grabs.
It’s almost lazy genius. Why crack the castle when the drawbridge guy’s phone is in your pocket?
Is Zendesk Your Open Invitational to Hackers?
Zendesk. Beloved ticketing tool. Corporate lifeline for support woes. Also, apparently, a neon sign saying ‘Hack Me.’ Those domains—[.]zendesk-support<##>[.]com—slip past casual eyes. Support reps, stressed and rushed, click. MFA? Bypassed by sneaky clipboard grabs. Your second factor? Useless if the kit snags it mid-paste.
Google’s Mandiant drops defenses: FIDO2 keys (hardware MFA that laughs at phishing), chat monitoring, block those spoof domains, audit enrollments. Solid. But why’s this still happening in 2024? Companies outsource to save bucks, then skimp on securing the outsourcers. BPOs get the crumbs—underpaid staff, crap training. Perfect phishing fodder.
My hot take? This reeks of the 2016 Uber breach echo. Remember? Hackers hit a contractor’s creds, grabbed driver data. Uber paid ransom quietly. History rhymes—BPOs are the weak link du jour. Bold prediction: Unless firms mandate FIDO2 across all vendors, UNC6783 spawns copycats. We’ll see Adobe confirm that breach soon, too—PR spin can’t hold forever.
But wait. Fake updates dropping RATs? That’s evolution. From pure social engineering to malware drops. These aren’t script kiddies; they’re pros sniffing for easy wins.
Corporate hype calls BPOs ‘scalable solutions.’ Bull. They’re scalpel cuts waiting to fester. Google patting itself on the back for spotting this? Cute. But they’re late—Raccoon was yapping months ago.
Why Does This Matter for Your Security Team?
You’re a CISO. Reading this over coffee. Heart sinking yet? Good. Time to audit.
First, live chats. Monitor ‘em like hawks. Anomalies scream social engineering.
Second, MFA audits. Weekly. Who enrolled what when? Revoke the weirdos.
Third, vendor vetting. BPOs? Treat ‘em like insiders. Same standards, or boot ‘em.
Google pushes automated pentesting plus breach simulation. Fine. But humans fail here—train ‘em relentless.
And Zendesk users? Patch those patterns. Block wildcards. It’s low-hanging fruit.
This isn’t nation-state wizardry. It’s gritty, opportunistic crime. UNC6783 proves high-value hits don’t need zero-days. Just patience and a good script.
Worse, links to Raccoon hint at loose affiliations. One hacker bragging on forums, next hitting Crunchyroll. Ecosystem of pain.
🧬 Related Insights
- Read more: IVIPs Expose the 46% of Identities Hiding in Enterprise Shadows
- Read more: WhatsApp’s Spyware Scare: 200 iOS Users Hit by Italian Fake App, Firm in the Crosshairs
Frequently Asked Questions
What is UNC6783?
UNC6783 is a threat actor Google tracks for targeting BPOs to steal Zendesk tickets from big companies, using phishing and social engineering for extortion.
How do UNC6783 hackers target Zendesk?
They spoof Zendesk domains in live chats, push fake Okta logins that steal clipboard MFA codes, and sometimes drop malware via bogus updates.
How to stop UNC6783 attacks?
Deploy FIDO2 keys, monitor chats, block spoofed domains, audit MFA enrollments, and vet BPOs like they’re your own staff.
