Hackers are already taking advantage of the CrowdStrike outage chaos
Hackers have been setting up phony websites meant to appeal to people seeking information on, or solutions to, the worldwide IT meltdown but in reality are designed to harvest visitors’ information or to breach their devices, the security experts said.
The fraudulent sites use domain names that include keywords such as CrowdStrike — the cybersecurity firm behind a faulty software update that led to the crisis — or “blue screen,” which is what computers affected by the CrowdStrike glitch display when they boot up.
The fraudulent sites may try to lure victims in by promising a quick fix to the CrowdStrike issue or scam them with offers of fake cryptocurrency.
In a bulletin about the outage, the Department of Homeland Security said it has witnessed “threat actors taking advantage of this incident for phishing and other malicious activity.”
“Remain vigilant and only follow instructions from legitimate sources,” said the bulletin issued by the Department’s Cybersecurity and Infrastructure Security Agency. CrowdStrike has issued its own guidance on what affected organizations can do in response to the issue.
The situation illustrates how a volatile, high-impact news event has created secondary risks for millions of people as malign actors try to benefit from the CrowdStrike disaster and as thousands of organizations scramble to recover from CrowdStrike’s faulty software update.
“It’s a pretty standard pattern we see following incidents on this scale,” said Kenn White, an independent security researcher specializing in network security, in an interview with CNN. “Criminals are tireless in their creative pursuits to exploit the most vulnerable.”
Amid Friday’s outage, CrowdStrike itself warned of hackers trying to exploit the situation by “leveraging the event as a lure.” In a blog post, CrowdStrike said malicious actors are not only creating fake websites but also impersonating CrowdStrike employees in scam emails and phone calls, even selling bogus software purporting to fix the glitch.
One example of that has been targeting Spanish-speaking CrowdStrike customers, the company said in a separate blog post. The attack comes in the form of a misleadingly named file called crowdstrike-hotfix.zip. When opened, the file installs malicious software that phones home to a server the hackers control and may use to give additional instructions to the malware.
There is currently no automated fix for recovering from the CrowdStrike software glitch, which security experts have said will mean a long and arduous recovery that’s likely to cost millions — if not billions — of dollars.
“CrowdStrike Intelligence recommends that organizations ensure they are communicating with CrowdStrike representatives through official channels and they adhere to technical guidance the CrowdStrike support teams have provided,” the company said.
In some ways, what is currently playing out in cyberspace resembles how mis- and disinformation can overwhelm the public’s understanding of events taking place in the physical world.
Hackers commonly try to use high-profile news stories to funnel traffic their way. For example, after the massive Equifax data breach announced in 2017, security companies said they observed cybercriminals sending hundreds of thousands of phishing emails impersonating banks. The emails sought to prey on anxious victims who, given the Equifax news, may have been more likely to open an email from their financial institution, experts said at the time.
These types of event-driven scams are taking place against the backdrop of a broader rise in impersonation scams.
In recent years, the Federal Trade Commission has pointed to an uptick of scams in which cybercriminals pretend to be government officials or agencies, such as the Internal Revenue Service or the Social Security Administration. During the Covid-19 emergency, creative hackers even posed as FTC Chair Lina Khan and sent fake emails that falsely claimed the agency was distributing pandemic relief funds — prompting the FTC to plead with consumers not to respond to those messages.
Americans have collectively lost hundreds of millions of dollars to these impersonation scams, the FTC has said.
In a situation like the CrowdStrike outage, where people are searching for information in an urgent, fast-moving crisis and are hungry for solutions, phishing can mislead well-intentioned people and organizations into taking the wrong steps, making a bad deal even worse.
Phishing dangers compound other knock-on risks, as well. Some organizations may decide on their own to weaken or even disable their cybersecurity defenses while trying to get operations back to normal.
“As customers start to recover, they’ll most likely disable or modify their CrowdStrike protections,” said Azim Khodjibaev, a cybersecurity researcher at Cisco Talos, the cybersecurity arm of the networking company Cisco, in a post on X. “This is going to leave a whole [lot] of people exposed!”
If businesses start falling victim to phishing attacks that wind up compromising important data or key systems, it could have ripple effects for their corporate clients and consumers, warned Brett Callow, managing director of the cybersecurity practice at FTI Consulting.
“Bad actors routinely try to take advantage of current events, so it’s not all surprising to see them attempting to take advantage of this one,” Callow said. “And this, of course, is something that customers of companies which have experienced high profile incidents need to be ready for.”
The tech industry, specifically companies like CrowdStrike, should strengthen their security measures to prevent such impersonations and phony websites, as hackers are using the CrowdStrike IT meltdown to their advantage by creating tech-savvy scams. Businesses need to be vigilant and only trust information from official and legitimate sources to avoid falling victim to these phishing attacks.
