Scam CrowdStrike domains growing in volume
Hundreds of malicious domains exploiting CrowdStrike’s branding are appearing all over the web in the wake of the 19 July outage. Experts from Akamai share some noteworthy examples, along with guidance on how to avoid getting caught out
As global efforts to recover and learn from the Friday 19 July CrowdStrike incident continue, cyber criminals and scammers are predictably lurking on the fringes of the discourse, picking off unsuspecting victims, supported by over newly created malicious domains associated with CrowdStrike’s branding.
This is according to web security specialist Akamai, which said its researchers have identified more than 180 such domains – the true number is likely higher – including one that was ranked in the top 200,000 sites for associated keywords.
The top sectors targeted by these websites appear to be charities and non-profit organisations, and education providers, both of which are highly targeted by malicious actors ordinarily as they are comparatively less likely to have implemented, or to be able to afford in many instances, appropriate cyber security training or defensive measures.
Writing on the firm’s website, Akamai’s Tricia Howard said that as was often the case with newsworthy events, threat actors had immediately attempted to exploit the situation, and the extent and impact of the CrowdStrike incident, which caused millions of Windows devices to turn blue, and prompted disconcerted users – many of them without a background in IT or security – to hunt for answers wherever they could find them, putting them at great risk of social engineering.
Akamai’s teams analysed reams of data drawn from its global edge network to identify the top malicious domains used for CrowdStrike incident scams and other exploits – including the distribution of wiper and infostealing malware, and remote access Trojans (RATs).
The most widely used domains all leveraged CrowdStrike’s branding to some degree, and many purported to offer either information or solutions to the incident. These included domains such as crowdstrike-bsod.com, crowdstrikefix.com, crowdstrike-helpdesk.com, microsoftcrowdstrike.com and crowdstrikeupdate.com.
One domain observed even appeared to exploit the WhatIs family of websites owned and operated by Computer Weekly’s parent TechTarget, using whatiscrowdstrike.com.
According to Howard, the majority of the domains Akamai uncovered carry the .com top level domain (TLD), lending them a subtle authority, and deployed common keywords such as helpdesk or update that are likely being frequently used by people seeking information. In such a way, their backers are able to feign legitimacy by pretending to offer, for example, technical or legal support.
“If you are affected by the outage and are looking for information, we recommend that you consult credible sources such as CrowdStrike or Microsoft. Although other outlets may seem to have more up-to-date information, it may not be accurate – or worse, the site may have a malignant purpose,” wrote Howard.
“It is likely we will see more phishing attempts associated with this issue beyond the time when every device is remediated. A simple scroll through social media can provide an attacker with a sense of which brands generate the most heightened emotions and which are ripe to impersonate for malevolent gain.
“This is an attacker’s job, and it’s important to remember that. Malicious campaign operations function just as we do in legitimate corporations: the victims are their ‘customers,’ and the varied tactics presented in this post show how ‘plugged in’ to their customers they are. They know how to effectively diversify their portfolio to ensure they end up with money in the bank,” she said.
Resilient and convincing infrastructure
To reinforce the point, and to demonstrate how hard it can be for individuals to pick out dodgy websites amid the noise of a standard web search, Howard explained that such phishing campaigns often demonstrate remarkably resilient infrastructure, orchestrated by “professionals” with skills that in some cases rival those found in an enterprise.
Many of the scam sites will also include fairly standard measures that people will be well-used to seeing on secure domains, such as SSL validation. Others may even redirect at some point to the actual CrowdStrike website.
The most sophisticated campaigns will even have failover and obfuscation mechanisms built in, and their backers can quickly change their appearance.
Additionally, the Akamai team believes that least one of the observed domains seen exploiting CrowdStrike appears to be part of a large phishing network. This site, tracked as crowdstrikeclaim.com, stood out to the researchers for its exploitation not just of CrowdStrike, but of a genuine New York law firm that has been involved in real-life class action lawsuits.
The domain contained an embedded Facebook ID known to be malicious, which at one time linked to covid19-business-help.qualified-case.com, a malicious site taking advantage of US government aid programmes during the pandemic. That website in turn contains another embedded Facebook ID linking to as many as 40 other malicious sites.
Mitigating the phish
For ordinary individuals who may find themselves on a CrowdStrike-linked page, Akamai’s advice is to check for a number of indicators of ill intent. This can include looking for the certificate and domain issuer when accessing over HTTPS; avoiding any domains that request sensitive information, such as credit card details; and ignore and delete any emails that claim to offer help. The most effective solution, however, remains to only follow advice and remediation steps from CrowdStrike itself.
Security pros and IT admins can also take additional steps, including to block known and related indicators of compromise (IoCs) – Akamai’s list is available now on GitHub – and to perform a lateral movement gap analysis, or adversary emulation.
Howard noted that financially motivated cyber criminals will look for any opportunity to drop ransomware, and although the CrowdStrike incident is not linked to a zero-day vulnerability, she pointed out that there are still potential ways in for an attacker who now knows what technology, i.e. CrowdStrike, their potential victim is using in its cyber stack.
“This could become relevant in the event that a future CVE is discovered within the Falcon product. Attackers are only getting more sophisticated, and each additional piece of the tech stack puzzle they have makes that puzzle easier to solve,” she warned.
Computer Weekly and TechTarget coverage of the CrowdStrike incident
- 19 July 2024: An update to CrowdStrike’s Falcon service has led to many Windows users being unable to work this morning. Microsoft 365 is also affected.
- The Emis Web IT system used by more than half of GP practices in the UK is down, following the worldwide Microsoft outage.
- The global outage of Microsoft is rapidly sending shockwaves across all sectors, demonstrating the risk of having a single point of failure.
- A CrowdStrike update with a faulty sensor file has global implications for Windows systems. But competitors need to limit the finger-pointing in case it happens to them.
- As organisations recover from today’s outages, the cyber security industry will need to develop new security software evaluation criteria and requirements and learn to parlay risks.
- 22 July: About 8.5 million devices globally were hit by the botched CrowdStrike update, with a significant number now back online and operational.
- The concentration of so much mission-critical technology in the hands of a few large suppliers makes incidents like the Microsoft-CrowdStrike outage all the more dangerous.
- Financially motivated cyber criminals are already conducting opportunistic attacks on organisations that leverage the CrowdStrike incident, and more targeted attacks are sure to follow.
- 23 July: The ‘blue screen of death’ signals a catastrophic Windows failure, which is exactly what many people faced on 19 July 2024 – but why did it happen? One former Microsoft engineer has a theory.
- Disaster recovery has centered on cyberattacks the past few years, but the CrowdStrike outage illustrates why companies can't forget about traditional business continuity.
- 24 July: Enterprises that emerged unscathed from the roll-out of the botched CrowdStrike software update are being urged to view it as a wake-up call rather than a lucky escape.
- The largest global organisations hit by the CrowdStrike - Microsoft incident on 19 July will likely be out of pocket to the tune of billions of dollars.
- CrowdStrike publishes the preliminary findings of what will be a lengthy investigation into the root causes of the failed 19 July update that caused Windows computers to crash all over the world.
- 25 July: Microsoft has pointed the finger at EU reguators, blaming them for a ruling that means it needs to offer third parties like CrowdStrike access to the core Windows OS.
- 26 July: Experts say efforts to avoid incidents such as last week's CrowdStrike outage will face time-honoured tradeoffs between velocity, stability, access and security.
- CrowdStrike customers grappling with blue screens of death from the recent IT outage may be able to sidestep BitLocker encryption schemes and recover their Windows systems.
