From Outage to Onslaught : Understanding the Phishing Surge Post-CrowdStrike

Suspicious websites/URLs on the rise after Crowdstrike incident- issued in public interest and building awareness

On July 19, 2024, an IT outage at CrowdStrike led to a surge in phishing activities. Leveraging our internal tools, our threat intelligence team identified multiple phishing sites exploiting the situation. This blog post provides a detailed technical analysis, insights from the data, and recommendations for detecting and protecting against these phishing sites.

The speed at which potential threat actors act will be reflected in the number of domains that got registered within 24 hours from the incident. Our teams have put together a well researched list for public awareness so please share with as many people as possible and spread the word to be alert and aware of potential phishing traps.

Incident Context

At 04:09 UTC on July 19, 2024, CrowdStrike released a sensor configuration update for Windows systems. This update inadvertently triggered a logic error, resulting in a system crash (BSOD) on impacted systems. Although the issue was not caused by a cyberattack, it created a window of opportunity for malicious actors to exploit the situation.

Technical Details of Detected Phishing Sites

Common Characteristics

Registrar Concentration:

• Porkbun LLC:?Domains such as crowdstrikeoopsie.com, crowdstrike.fail.
• Cloudflare, Inc.:?Domains like crowdstrikewatch.com, crowdstrikereport.com.
• NAMECHEAP INC:?Domains including crowdstrikedown.com, iscrowdstrikedown.com.

Geographic Distribution:

• Majority of domains are registered in the United States, particularly in California (San Francisco), Washington (Seattle), and Georgia (Atlanta).
• Other notable locations include Germany (Munich), India (Mumbai), and the Netherlands (Middelburg).

IP Address Clustering:

• Multiple domains share similar IP addresses, indicating potential clustering on specific hosting services:
• Cloudflare IP addresses:?104.21.20.201, 104.21.90.96.
• Squarespace IP addresses:?198.185.159.144, 198.185.159.145.

Hosting Providers:

• Predominantly hosted by well-known providers such as Cloudflare and Squarespace, which offer robust security features but also allow malicious actors to exploit these services until detected.

Inferences

1. Rapid Registration and Deployment:

• The majority of these domains were registered within hours of the CrowdStrike outage announcement, indicating a highly organized effort to exploit the vulnerability window.
• The use of various registrars and hosting providers suggests an attempt to diversify and evade detection by using multiple platforms

2. Geographic and Registrar Patterns:

• The concentration of registrations in the United States, particularly in tech-heavy states like California, points to a strategic choice to blend in with legitimate traffic.
• The repeated use of certain registrars like Porkbun, Cloudflare, and Namecheap may indicate either a preference for their features or a concerted effort to exploit perceived weaknesses in their registration processes.

3. IP Address Reuse:

• The clustering of IP addresses, particularly those associated with Cloudflare and Squarespace, highlights the use of shared hosting services to minimize costs and streamline deployment.
• This reuse of IP addresses also suggests that these phishing domains may be part of larger networks or botnets designed for rapid exploitation of such vulnerabilities.

Recommendations

1. Enhanced Verification Processes:

Train users to verify the authenticity of emails and links. Encourage cross-checking with official CrowdStrike communications and the use of trusted channels.

2. Domain and IP Whitelisting:

• Implement strict whitelisting for trusted domains and IP addresses to ensure only verified sources are allowed access within organizational networks.

3. Continuous Monitoring and Alerts: Set up systems for continuous monitoring of newly registered domains resembling CrowdStrike. Utilize WHOIS lookup services and threat intelligence platforms for early detection and alerts.

4. Employee Training and Awareness: Conduct regular training sessions for employees and IT staff on recognizing phishing attempts and understanding the risks associated with interacting with suspicious emails and websites.

5. Advanced Security Solutions: Deploy advanced email and web filtering solutions capable of detecting and blocking phishing attempts. Leverage AI and machine learning technologies to identify and mitigate patterns of malicious activity.

6. Incident Reporting and Response: Establish a clear incident response plan for handling phishing attacks. Encourage prompt reporting of any suspicious activities to the cybersecurity team.

Conclusion

The CrowdStrike outage has led to an influx of phishing activities, with malicious actors rapidly registering and deploying phishing sites to exploit the situation. By implementing the recommendations provided in this report, organizations can enhance their defenses against these phishing attacks and protect their users from falling victim to scams.

How Our Fraud Prevention and Cyber Threat Intelligence Platform Can Help

Our fraud prevention and cyber threat intelligence platform is uniquely positioned to help organizations automatically detect and respond to phishing sites targeting CrowdStrike and other similar incidents. Leveraging advanced machine learning (ML) and artificial intelligence (AI) techniques, our solution can monitor various platforms and newly registered domains in real-time, gathering relevant details and presenting them in a comprehensive dashboard. Here's how our platform can make a significant impact:

1. Automated Monitoring:

• Our platform continuously scans various online platforms, including social media, forums, and Telegram channels, for newly registered domains and mentions of suspicious activities.
• Real-time monitoring ensures that any new phishing domain targeting CrowdStrike is detected as soon as it is registered.

2. Advanced Detection Techniques:Machine Learning and AI:?Our algorithms analyze patterns and behaviors associated with phishing domains, identifying potential threats with high accuracy.

• Image Recognition and Logo Detection:?Our platform uses image recognition to detect logos and branding elements, identifying fake websites mimicking legitimate ones.
• Optical Character Recognition (OCR):?OCR technology extracts text from images and web pages, helping to identify malicious content even if it is embedded in graphics.

3. Comprehensive Dashboard:

• The platform presents all findings in an intuitive and comprehensive dashboard, providing users with detailed information on detected phishing sites.
• Users can view domain registration details, IP addresses, geographic locations, and associated registrars at a glance.

4. Actionable Insights and Takedown Requests:

• The dashboard not only provides visibility but also actionable insights, allowing users to assess the threat level and take immediate action.
• Users can directly request takedowns of suspicious and phishing domains from the dashboard, streamlining the process of removing malicious sites.

5. Seamless Integration and Support:

• Our platform integrates seamlessly with existing security infrastructure, enhancing your organization's overall cybersecurity posture.
• Continuous updates and support ensure that our platform evolves with emerging threats, providing robust protection against new phishing techniques.

By incorporating these advanced capabilities, our fraud prevention and cyber threat intelligence platform empowers organizations to stay ahead of cybercriminals, ensuring that phishing attempts are detected and neutralized swiftly. The combination of automated monitoring, sophisticated detection techniques, and a user-friendly dashboard makes our platform an essential tool in the fight against phishing and other cyber threats.

For more information on how our platform can enhance your ?cybersecurity measures and protect against phishing attacks, please contact our sales team or request a demo through our website.

• Reach out to [email protected]?for partnering with us in the fight against fraud and cybercrimes.
• Guard your brand and overcome phishing attacks with BrandGuard 360