Cybercriminals exploit CrowdStrike outage with fake support sites

Following a widespread disruption stemming from a CrowdStrike Falcon content update on 19 July 2024, Akamai researchers have identified over 180 newly created malicious domains and scam sites purporting to offer assistance related to the incident. This surge in malicious activity comes in the wake of a significant technical issue that caused devices to display blue screens of death (BSODs) across multiple industries, impacting 8.5 million devices worldwide.

The faltering update triggered a global wave of system outages affecting key sectors including aviation, government, and healthcare. In the aftermath, cybercriminals seized the opportunity to exploit the turmoil by launching scam sites targeting CrowdStrike customers, aiming to steal information and spread malware. Akamai’s research has highlighted the top three malicious domains imitating CrowdStrike assistance: crowdstrike-bsod.com, crowdstrikedown.site, and crowdstrikefix.com.

According to Akamai researchers, the incident's disruption saw non-profit organisations and the education sector experiencing a higher percentage of attacks than usual. This unsettling shift was quantified by observing that these sectors represented 29% of the attack traffic in the past week. Akamai noted that while high-technology and financial services often suffer the bulk of zero-day attacks, the surge in attacks on non-profit, education, and public sectors was unexpected.

The attacks spanned a variety of malicious activities including wipers, stealers, and remote access tools (RATs). Akamai's analysis of their global edge network data revealed the top trafficked scam domains, which used keywords commonly associated with the CrowdStrike incident to lure unsuspecting victims. These included terms often searched by those affected, such as "bsod" and "microsoft".

Kevin Gaskell, an analyst at Akamai, commented, "Threat actors saw the incident as an opportune moment for social engineering. By setting up scam sites, they aimed at exploiting the confusion surrounding the CrowdStrike outage." He further noted, "The domains mimicked legitimate support services, and several domains even used common elements designed to build trust." Examples include SSL validation and IT support appearances, which users typically associate with security.

The education sector's vulnerability is attributed to the high number of managed devices per institution and varying levels of technical proficiency among staff and students. Akamai's report also indicated the existence of advanced phishing infrastructures that professional threat actors employ, often including failover and obfuscation mechanisms to enhance persistence and evasion.

One particular phishing site (crowdstrikeclaim.com) was noted for its connection to a known malicious source that had previously exploited users during the pandemic. This site utilised logos of a legal firm and CrowdStrike to increase perceived reliability, further highlighting the sophisticated nature of some of these malicious campaigns.

Recommendations for individuals affected by the outage include verifying domain certificates and issuers when accessing sites over HTTPS, abstaining from providing sensitive information, and solely following recovery guidance from credible sources such as CrowdStrike or Microsoft. Additionally, it is advised not to open email attachments from domains resembling CrowdStrike, as these may contain malware.

Organisations are urged to perform lateral movement gap analyses or adversary emulations to assess exposure risks and implement necessary protections. Blocking known and related indicators of compromise (IOCs) and employing DNS sinkholing are also recommended to prevent communication with malicious domains.

Akamai stresses the importance of vigilance, as ongoing phishing attempts related to the CrowdStrike incident are anticipated. As attackers continue to evolve and understand the technical stack of potential targets, organisations and individuals must remain proactive in safeguarding their digital environments.