Scam CrowdStrike domains growing in volume

Hundreds of malicious domains exploiting CrowdStrike’s branding are appearing all over the web in the wake of the 19 July outage. Experts from Akamai share some noteworthy examples, along with guidance on how to avoid getting caught out

Alex Scroxton,
Security Editor

Published: 29 Jul 2024 15:18

As global efforts to recover and learn from the Friday 19 July CrowdStrike incident continue, cyber criminals and scammers are predictably lurking on the fringes of the discourse, picking off unsuspecting victims, supported by over newly created malicious domains associated with CrowdStrike’s branding.

This is according to web security specialist Akamai, which said its researchers have identified more than 180 such domains – the true number is likely higher – including one that was ranked in the top 200,000 sites for associated keywords.

The top sectors targeted by these websites appear to be charities and non-profit organisations, and education providers, both of which are highly targeted by malicious actors ordinarily as they are comparatively less likely to have implemented, or to be able to afford in many instances, appropriate cyber security training or defensive measures.

Writing on the firm’s website, Akamai’s Tricia Howard said that as was often the case with newsworthy events, threat actors had immediately attempted to exploit the situation, and the extent and impact of the CrowdStrike incident, which caused millions of Windows devices to turn blue, and prompted disconcerted users – many of them without a background in IT or security – to hunt for answers wherever they could find them, putting them at great risk of social engineering.

Akamai’s teams analysed reams of data drawn from its global edge network to identify the top malicious domains used for CrowdStrike incident scams and other exploits – including the distribution of wiper and infostealing malware, and remote access Trojans (RATs).

The most widely used domains all leveraged CrowdStrike’s branding to some degree, and many purported to offer either information or solutions to the incident. These included domains such as crowdstrike-bsod.com, crowdstrikefix.com, crowdstrike-helpdesk.com, microsoftcrowdstrike.com and crowdstrikeupdate.com.

One domain observed even appeared to exploit the WhatIs family of websites owned and operated by Computer Weekly’s parent TechTarget, using whatiscrowdstrike.com.

According to Howard, the majority of the domains Akamai uncovered carry the .com top level domain (TLD), lending them a subtle authority, and deployed common keywords such as helpdesk or update that are likely being frequently used by people seeking information. In such a way, their backers are able to feign legitimacy by pretending to offer, for example, technical or legal support.

“If you are affected by the outage and are looking for information, we recommend that you consult credible sources such as CrowdStrike or Microsoft. Although other outlets may seem to have more up-to-date information, it may not be accurate – or worse, the site may have a malignant purpose,” wrote Howard.

“It is likely we will see more phishing attempts associated with this issue beyond the time when every device is remediated. A simple scroll through social media can provide an attacker with a sense of which brands generate the most heightened emotions and which are ripe to impersonate for malevolent gain.

“This is an attacker’s job, and it’s important to remember that. Malicious campaign operations function just as we do in legitimate corporations: the victims are their ‘customers,’ and the varied tactics presented in this post show how ‘plugged in’ to their customers they are. They know how to effectively diversify their portfolio to ensure they end up with money in the bank,” she said.

Resilient and convincing infrastructure

To reinforce the point, and to demonstrate how hard it can be for individuals to pick out dodgy websites amid the noise of a standard web search, Howard explained that such phishing campaigns often demonstrate remarkably resilient infrastructure, orchestrated by “professionals” with skills that in some cases rival those found in an enterprise.

Many of the scam sites will also include fairly standard measures that people will be well-used to seeing on secure domains, such as SSL validation. Others may even redirect at some point to the actual CrowdStrike website.

The most sophisticated campaigns will even have failover and obfuscation mechanisms built in, and their backers can quickly change their appearance.

Additionally, the Akamai team believes that least one of the observed domains seen exploiting CrowdStrike appears to be part of a large phishing network. This site, tracked as crowdstrikeclaim.com, stood out to the researchers for its exploitation not just of CrowdStrike, but of a genuine New York law firm that has been involved in real-life class action lawsuits.

The domain contained an embedded Facebook ID known to be malicious, which at one time linked to covid19-business-help.qualified-case.com, a malicious site taking advantage of US government aid programmes during the pandemic. That website in turn contains another embedded Facebook ID linking to as many as 40 other malicious sites.

Mitigating the phish

For ordinary individuals who may find themselves on a CrowdStrike-linked page, Akamai’s advice is to check for a number of indicators of ill intent. This can include looking for the certificate and domain issuer when accessing over HTTPS; avoiding any domains that request sensitive information, such as credit card details; and ignore and delete any emails that claim to offer help. The most effective solution, however, remains to only follow advice and remediation steps from CrowdStrike itself.

Security pros and IT admins can also take additional steps, including to block known and related indicators of compromise (IoCs) – Akamai’s list is available now on GitHub – and to perform a lateral movement gap analysis, or adversary emulation.

Howard noted that financially motivated cyber criminals will look for any opportunity to drop ransomware, and although the CrowdStrike incident is not linked to a zero-day vulnerability, she pointed out that there are still potential ways in for an attacker who now knows what technology, i.e. CrowdStrike, their potential victim is using in its cyber stack.

“This could become relevant in the event that a future CVE is discovered within the Falcon product. Attackers are only getting more sophisticated, and each additional piece of the tech stack puzzle they have makes that puzzle easier to solve,” she warned.

Read more on Hackers and cybercrime prevention

CrowdStrike outage underscores software testing dilemmas