Hackers moved with lightning speed to take advantage of the unparalleled chaos that ensued following the widespread IT outage that occurred on Friday, taking millions of websites and computer systems offline.
Within hours of the outage being linked to a problem with the cybersecurity vendor CrowdStrike, numerous malicious websites began popping up online, looking to prey on people's desperation to recover vital business software systems. The fake websites are designed to trick people searching for advice on what to do to counter the global IT meltdown. While they claim to proffer assistance, in reality they're designed to scam users and harvest confidential information.
The CrowdStrike incident was one of the most widespread and devastating IT outages in history, impacting more than 8.5 million Microsoft Windows devices, according to reports. The cause was linked to a faulty CrowdStrike software update, which caused havoc with Windows systems globally, taking banks, shops, and media organizations offline and leading to hundreds of flight delays and cancellations.
Scammers seize the moment.
While CrowdStrike and Microsoft rushed to fix the problem as soon as they could, cybercriminals were able to react much faster. According to the U.S. Department of Homeland Security, "threat actors" emerged within hours of the incident, using it as an opportunity to spin up malicious websites and launch "phishing" campaigns.
The cybersecurity firm SentinelOne was one of the first to take note of the surge in malicious web domains propagating across the web.
"As is often the case with major newsworthy incidents, cybercriminals immediately began to use CrowdStrike-themed components in their campaigns in an attempt to capitalize on the misfortune of system administrators and users desperate to get their systems operational," the company said in a blog post. "This includes registering potentially malicious domains and naming files after 'CrowdStrike remediation' themes."
The sophisticated cybercriminals spread their malicious links through targeted phishing emails and social media messages and posts, seeking out those who are actively searching for solutions to the problems. Many would lure people in with the promise of a simple fix or even financial compensation, other reports said.
SentinelOne said it had identified thousands of "typo-squatting domains" registered in the wake of the incident. Many of them are seeking to extort their victims, demanding payment of up to 1,000 euros for a "fix" to user issues.
The plague of spoofed websites is another example of how high-profile outages can quickly escalate into more damaging crises. Indeed, it has become almost a standard modus operandi for hackers to pounce on such incidents, looking to exploit users when they're vulnerable. Following the massive Equifax data breach in 2017, cybercriminal gangs took advantage by sending thousands of emails to individuals, impersonating banks, and trying to get them to "take action" to protect their accounts.
Phishing kits make life simple for spoofers.
Gideon Hazam, co-founder and Chief Operating Officer of Memcyco, said it's not surprising that so many fake websites would pop up in the wake of the CrowdStrike incident because it has become easier than ever for hackers to quickly spin up a malicious domain and make it look like an official website.
Hazam pointed to a recent report by SlashNext on a new kind of "phish kit" that can be purchased on dark web forums and used by relative novices to spoof websites and launch phishing attacks. It's called FishXProxy, and it arms hackers with an array of tools to carry out professional phishing campaigns, including features to bypass spam filters and track the success of their attacks.
"FishXProxy is easy to use, making it relatively accessible even to individuals with minimal technical skills," Hazam said. "Among other elements, the kit features easy installation and setup processes, which simplify the initial deployment. It also includes automated SSL certificates, enhancing the legitimacy of impersonating websites. With this kit, cybercriminals can generate unlimited subdomains and random domains, which makes things even easier for them."
Malicious websites are becoming more common in general and do not only appear in response to widely publicized outages like the CrowdStrike incident. Indeed, such incidents are probably seen as little more than a bonus payday for the most professional cybercriminals.
A report by the U.S. Federal Trade Commission notes that so-called "brand impersonation" attacks, which involve spoofing a website or app to impersonate well-known companies, stole more than $1 billion from unsuspecting victims in 2023 alone. That represents an 85% increase over the last three years, the FTC said.
Brandjackers, as the scammers are known, can be extremely resourceful, taking advantage of whatever issue might be the flavor of the day. For instance, during the height of the COVID-19 pandemic, some hackers impersonated the FTC's chairwoman, Lina Khan, sending phony emails that promised to distribute pandemic relief funds, together with a malicious link asking for their personal details.
How to avoid the phishing hooks?
Many malicious websites can be extremely convincing, as are the phishing emails used to reel victims in, which makes it difficult for people to know what is real and what is not. However, Memcyco's Hazam said that companies and individuals can employ some effective methods to protect themselves from phishing attacks.
As a first step, Hazam advised companies to invest in educational programs to create more awareness of phishing tactics among their employees, many of whom might be unaware of such scams. But this alone won't be enough to guarantee their safety, because phishing emails try to play on human's emotions, and their authors can be very convincing.
That's why Hazam also advises companies to utilize advanced, multi-layered security solutions that offer real-time phishing detection and response. Some of the most advanced offerings can even identify malicious websites and malware installation attempts, he added.
"In addition, strong authentication measures can significantly reduce the risks of phishing operations," Hazam continued. "Companies and users should also ensure that their email services have robust spam and phishing filters in place. Regularly updating operating systems, browsers and other software also helps protect against vulnerabilities that could be exploited by attackers."
