Let’s Be Careful Out There

Co-authored with Christopher Kim, Infoblox Threat Intelligence

It's impressive (and a little discouraging) to see how quickly the bad guys capitalize on current events. In the wake of the worldwide Windows outage caused by a bug in CrowdStrike's software, opportunists have registered many lookalike domains. For a complete list, please see the Infoblox Threat Intelligence Github repo, https://github.com/infobloxopen/threat-intelligence/tree/main. Here's a summary:

• Between July 19th and 23rd, we detected 194 CrowdStrike lookalike domains.
• Of these, 60 are likely used in phishing campaigns.
• 27 are likely used in other malicious activities.
• Four are likely used in spam operations.
• 57 were set up defensively (that is, registered with CSC Corporate Domains for brand protection purposes).

To give you an idea of the nature of these domain names, here's a screen shot from the web site fix-crowdstrike-apocalypse[.]com:

This site advertises a (probably fake)¹ program that can restore Windows computers that have been affected by the outage, and offers two methods of payment, Bitcoin and Ethereum.

These numbers-over 90 malicious domain names registered in a few days-highlight how important it is to exercise caution after a major event like the CrowdStrike-induced Windows outage, but also what an important role DNS-based security can play in protecting your users and infrastructure: Infoblox's algorithms flagged these lookalikes in real-time, categorized them into malicious, suspicious and benign, and added them to our threat feeds to prevent our customers from becoming victims.

Footnotes

1. While we haven't bought a copy, we suspect the advertised product isn't a legitimate repair tool: Based on its registration information, the domain name isn't affiliated with CrowdStrike, and the registrant chose an anonymous DNS provider, which is consistent with malicious activity.