Co-authored with Christopher Kim, Infoblox Threat Intelligence
It’s impressive (and a little discouraging) to see how quickly the bad guys capitalize on current events. In the wake of the worldwide Windows outage caused by a bug in CrowdStrike’s software, opportunists have registered many lookalike domains. For a complete list, please see the Infoblox Threat Intelligence Github repo, https://github.com/infobloxopen/threat-intelligence/tree/main. Here’s a summary:
- Between July 19th and 23rd, we detected 194 CrowdStrike lookalike domains.
- Of these, 60 are likely used in phishing campaigns.
- 27 are likely used in other malicious activities.
- Four are likely used in spam operations.
- 57 were set up defensively (that is, registered with CSC Corporate Domains for brand protection purposes).
To give you an idea of the nature of these domain names, here’s a screen shot from the web site fix-crowdstrike-apocalypse[.]com:
This site advertises a (probably fake)1 program that can restore Windows computers that have been affected by the outage, and offers two methods of payment, Bitcoin and Ethereum.
These numbers—over 90 malicious domain names registered in a few days—highlight how important it is to exercise caution after a major event like the CrowdStrike-induced Windows outage, but also what an important role DNS-based security can play in protecting your users and infrastructure: Infoblox’s algorithms flagged these lookalikes in real-time, categorized them into malicious, suspicious and benign, and added them to our threat feeds to prevent our customers from becoming victims.
Footnotes
- While we haven’t bought a copy, we suspect the advertised product isn’t a legitimate repair tool: Based on its registration information, the domain name isn’t affiliated with CrowdStrike, and the registrant chose an anonymous DNS provider, which is consistent with malicious activity.
