Phishers Feast on CrowdStrike Chaos: Exploiting Global Outage for Cyber Scams

Renmarc Andrada 20/07/2024
Phishers Feast on CrowdStrike Chaos: Exploiting Global Outage for Cyber Scams

Yesterday’s global IT outage, caused by a faulty update from CrowdStrike caused thousands of Windows hosts to experience a Blue Screen of Death (BSOD).

What Exactly Happened on July 19th, 2024?

The BSOD stems from the CrowdStrike Falcon Sensor update, making critical devices in all fields (e.g., healthcare, finance, travel, etc) inoperable. According to CrowdStrike CEO, George Kurtz, This is not a security incident or cyberattack. According to their website, a fix has been deployed. But, many customers are still experiencing disruptions and inconvenience. Many IT professionals are resorting to the manual fix seen in this Reddit post, as some workstations couldn’t receive the update due to other issues. Despite all this, the outage caused much damage and it is still persistent at the time of this writing.

The CrowdStrike update caused significant global IT disruptions, affecting airlines, banks, hospitals, and telecommunications. Over 30,000 flights were delayed or canceled, with major disruptions at Delta, American Airlines, and United Airlines. Tesla, SpaceX, and X CEO Elon Musk announced the removal of CrowdStrike from their systems. Other companies like TD Bank, Visa, ADP, and Verizon also reported outages. Despite the turmoil, hackers did not cease operations.

A Global Feast for Phishers: Abusing the Chaos

Just hours after the disruption began, phishing emails mimicking CrowdStrike support started circulating, along with malicious domains promising fake fixes. Despite the X message from George Kurtz, detailing that this is NOT a security incident, it looks like some may result from this chaos.

Cybercriminals are leveraging the heavy media attention surrounding the outage to deceive users. Some of the malicious domains identified include:

hxxp://crowdstrikestore[.]com[.]br/
hxxp://crowdstrike-bsod[.]com/
hxxp://crowdstrike[.]buzz/
hxxp://crowdstrike[.]life/
hxxp://crowdstrike[.]live/
hxxp://crowdstrike[.]site/
hxxp://crowdstrike[.]technology/
hxxp://crowdstrike[.]us[.]org/
hxxp://crowdstrike0day[.]com/
hxxp://crowdstrikebluescreen[.]com/
hxxp://crowdstrikebsod[.]com/
hxxp://crowdstrikeconnectingevents[.]com/
hxxp://crowdstrikeconnects[.]com/
hxxp://crowdstrikedoomsday[.]com/
hxxp://crowdstrikedown[.]site/
hxxp://crowdstrikeevents[.]com/
hxxp://crowdstrikeeventshub[.]com/
hxxp://crowdstrikeeventsplatform[.]com/
hxxp://crowdstrikeeventsplus[.]com/
hxxp://crowdstrikefix[.]com/
hxxp://crowdstrikeoptimizer[.]com/
hxxp://crowdstrikeredbird[.]com/
hxxp://crowdstrikestore[.]com[.]br/
hxxp://crowdstriketoken[.]com/
hxxp://crowdstrikewhisper[.]com/
hxxp://crowdstrikexdr[.]in/
hxxp://fix-crowdstrike-apocalypse[.]com/
hxxp://fix-crowdstrike-bsod[.]com/
hxxp://microsoftcrowdstrike[.]com/
hxxp://okta-crowdstrike[.]com/
hxxp://crowdstrike[.]us[.]org/
hxxp://whatiscrowdstrike[.]com
www[.]crowdstrike-falcon[.]online
www[.]crowdstrike-helpdesk[.]com
crowdstrikereport[.]com
crowdstrikefix[.]zip
crowdstrike[.]mightywind[.]com
crowdstrikeclaim[.]com
crowdstrikeoutage[.]com
www[.]crowdstrikeoutage[.]com
crowdstrikeupdate[.]com
crowdstrikerecovery1[.]blob[.]core[.]windows[.]net
crowdstrike[.]woccpa[.]com
crowdstrike[.]es
www[.]crowdstrokeme[.]me
1512178658959801095[.]crowdstriek[.]com
www[.]crowdstrikeclaim[.]com
lab-crowdstrike-manage[.]stashaway[.]co
crowdstrokeme[.]me
crowdstrike-bsod[.]com
crowdstrike0day[.]com
crowdstrikebluescreen[.]com
crowdstrikedoomsday[.]com
crowdstrikedown[.]site
crowdstrikefix[.]com
crowdstriketoken[.]com
crowdstuck[.]org
fix-crowdstrike-apocalypse[.]com
fix-crowdstrike-bsod[.]com
microsoftcrowdstrike[.]com
whatiscrowdstrike[.]com
crowdfalcon-immed-update[.]com
crowdstrikebsod[.]com
crowdstrikeoutage[.]info

Disclaimer: The domains above are not an exhaustive list and please do note that visiting these URLs without proper environment setup can be dangerous.

As you see below from the website Whois, these websites have a creation date of 2024-07-19. This is not legitimate by any means, seeing how fresh these domains are. These fake sites aim to trick users into downloading malicious software or providing sensitive information under the guise of offering technical support.

A screenshot from Whois with a record for CrowdStrike0Day CrowdStrike

Whois Results for CRWD Phishing Site

Here is another example: on this site it appears to deceive users into sending cryptocurrency to this wallet address—which I redacted.

another example of a CrowdStrike scam

Wallet Address on False CRWD Page

Many domains have been linked to these phishing attacks. Fake support sites have been asking for Bitcoin and PayPal donations, exploiting the urgency and confusion of affected users. Please, make sure you are communicating with Crowdstrike representatives through the official channels

Support Channel: https://supportportal.crowdstrike.com/

Phone (US): 1.888.512.8906 (US)

Phone (UK): +44 (118) 2285099 (UK)

Email: info@crowdstrike.com

To close, this incident serves as a stark reminder to test updates and double-check before pushing to PROD—especially on a Friday. It is quite scary to see how many devices and industries were affected by this. Our world is very reliant on technology, but we must make sure that it is properly vetted. For more information, visit the 2024 CrowdStrike Incident Wikipedia page.

About Renmarc Andrada

Renmarc Andrada

Renmarc is an avid fan of the phrase 'sharing is the new learning'. As a content developer with years of experience under his belt, he dedicates most of his time to researching both old and new TTPs in broad areas such as DFIR, CTI, threat hunting and malware analysis.