Cybercrooks spell trouble with typosquatting domains amid CrowdStrike crisis

Thousands of typosquatting domains are now registered to exploit the desperation of IT admins still struggling to recover from last week's CrowdStrike outage, researchers say.

According to security shop SentinelOne, the number is growing by the day, however, current attempts are still relatively unsophisticated and largely opportunistic.

Typosquatting, as Reg readers know, is the term given to cybercrime that involves registering domains of interest but with small typos in the hope of catching genuine users and ultimately exploiting them for money.

Looking at examples of these campaigns, it's difficult to see what admin in their right mind would fall for this kind of crud, yet clearly some people think there's a business opportunity here.

Various forms of extortion and phishing have been spotted on these domains, and the most popular route appears to be themed around the sale of a fix.

SentinelOne offered one example, the now-dead URL for which was fix-crowdstrike-apocalypse[.]com, and showed how an executable to fix the BSOD issues was selling for €500,000 ($543,000) and the source code for it selling for double.

Looking at that URL, who's getting fooled by this, really? A tech-illiterate user, maybe. CrowdStrike caters to the enterprise crowd, the professionals, so it's difficult to see how successful this would be, especially with prices like that.

Every campaign is different and potentially not quite as vacuous as this one. Some of the other domains, for example, are ever so slightly trickier:

• crowdstrikefix[.]com

• crowdstrike-helpdesk[.]com

• crowdstrikebsod[.]com

Financial extortion isn't the only play either. Some researchers were reporting as early as Saturday, the day after the outage began, that phishing campaigns were under way designed to deliver remote access trojans such as Remcos disguised as hotfixes.

The incident wasn't isolated and CrowdStrike was forced to issue a public memo on the same day warning against opportunistic cybercriminals exploiting the situation.

"CrowdStrike Intelligence recommends that organizations ensure they are communicating with CrowdStrike representatives through official channels and adhere to technical guidance the CrowdStrike support teams have provided," it said.

• EU gave CrowdStrike the keys to the Windows kernel, claims Microsoft
• CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes
• CrowdStrike Windows patchpocalypse could take weeks to fix, IT admins fear
• Cybercriminals quickly exploit CrowdStrike chaos

Another warning came on Monday after the vendor spotted a Word document riddled with malicious macros doing the rounds, leading to a previously unidentified information stealer it now calls Daolpu.

Outage woes persist

Some CrowdStrike customers are still in the process of recovering their machines from BSOD errors days after the botched Falcon update.

So far, one of the best routes out of the trouble has been to repeatedly reboot affected machines and hope for the best. That's Microsoft's guidance for Azure VMs anyway. 

CrowdStrike has regularly updated its dedicated remediation page for the incident since Friday, with a number of methods now available to customers, and it's the first port of call for anyone still struggling to recover.

Information was being disseminated across social media, from various accounts, in the early hours of the incident – even from the director of OverWatch at CrowdStrike, Brody Nisbet. Nisbet has since deleted all of his xeets about the matter, replacing them with a pointer to the remediation page.

"If you're visiting my timeline looking for tweets on remediation guidance, they were removed when we stood up a public-facing web page to centralize our response," he said today.

According to some admins who have reported their experience of dealing with CrowdStrike directly in the last few hours, the vendor is encouraging customers to opt into an initiative that allows CrowdStrike itself to remediate affected endpoints from the cloud.

It requires contact with the support portal, doesn't work every time, and the feedback from others who say they've gone through the process has been mixed.

Some report a rapid acceleration in the remediation process with hundreds of endpoints fixed in rapid time, while others are stuck rebooting several times over in a largely hit-and-miss endeavor.

Security expert Kevin Beaumont echoed the issues: "CrowdStrike are touting auto-remediation of blue screen as an opt-in feature.

"However, I just tried it – it's not very successful, most boots still blue screen of death. I think CS need to be careful on messaging about this as it sounds like they're offering it as a silver bullet. It only works if networking kicks in and the agent updates before Windows finishes booting." ®