The security firm CrowdStrike inadvertently caused mayhem around the world on Friday after deploying a faulty software update to the company’s Falcon monitoring platform that bricked Windows computers running the product. Fallout from the incident will take days to resolve, and the company is warning that, as system administrators and IT staff work on remediation, another threat is looming: predatory digital scams attempting to capitalize on the crisis.
Researchers on Friday afternoon began warning that attackers are reserving domain names and starting to spin up websites and other infrastructure to run “CrowdStrike Support” scams targeting the company’s customers and anyone who might be impacted by the chaos. CrowdStrike’s own researchers also warned about the activity on Friday and published a list of domains seemingly registered to impersonate the company.
“We know that adversaries and bad actors will try to exploit events like this,” CrowdStrike founder and CEO George Kurtz wrote in a statement. “I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives. Our blog and technical support will continue to be the official channels for the latest updates.”
Attackers inevitably take advantage of prominent global events as well as topical issues in specific geographic areas to try to trick people into sending them money, steal target account credentials, or compromise victims with malware.
“Threat actors invariably attempt to capitalize on any major event,” says Brett Callow, managing director of cybersecurity and data privacy communications at FTI Consulting. “Whenever an organization experiences an incident, it’s something customers and business partners should be prepared for.”
While most individuals are not personally responsible for addressing CloudStrike-related computer outages, the incident is ripe for exploitation because some of the IT professionals working on remediation could be desperate for solutions. In most cases, the fix for impacted computers involves individually booting and correcting each one—a potentially time-consuming and logistically difficult process. And for small-business owners who don’t have access to extensive IT expertise, the challenge may be particularly daunting.
Researchers, including those from CrowdStrike intelligence, have thus far seen attackers sending phishing emails or making phone calls where they pretend to be CrowdStrike support staff and selling software tools that claim to automate the process of recovering from the faulty software update. Some attackers are also pretending to be researchers and claiming to have special information vital to recovery—that the situation is actually the result of a cyberattack, which it’s not.
CrowdStrike emphasizes that customers should confirm that they are communicating with legitimate company staff members and only trust the company’s official corporate communications.
“Speedy alerts to employees outlining potential risks will help,” Callow says of how CloudStrike customers should work to defend themselves. “Forewarned is forearmed.”