Cybercriminals are nothing if not aggressive opportunists and the global chaos created by the June 19 outage of about 8.5 million Windows devices presented scammers with a huge opportunity to steal money and information.

A faulty update by cybersecurity firm CrowdStrike to its Falcon agent shut down Windows systems around the world, rippling through numerous industries from travel to healthcare to financials systems and forcing airlines to postpone or cancel flights, hospitals to delay surgeries, and banks to work around service disruptions.

CrowdStrike issued a fix, but the damage was widespread.

Scammers rushed into this quagmire, according to cybersecurity experts, with CrowdStrike CEO George Kurtz warning that “we know that adversaries and bad actors will try to exploit events like this. I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives.”

Government agencies, such as CISA in the United States and the UK’s National Cyber Security Centre, issuing warnings about scams. CISA wrote that “cyber threat actors continue to leverage the outage to conduct malicious activity, including phishing attempts. CISA continues to work closely with CrowdStrike and other private sector and government partners to actively monitor any emerging malicious activity.”

The UK agency noted that “an increase in phishing referencing this outage has already been observed, as opportunistic malicious actors seek to take advantage of the situation. This may be aimed at both organisations and individuals.”

A Wide Range of Attacks

McAfee analysts saw bad actors take advantage of the situation the same day, with Jasdev Dhaliwal, marketing director and security evangelist for the company, writing in a blog post that “fraudsters are exploiting the current vulnerabilities to deceive consumers. These scams range from phishing attacks related to flight rescheduling, to cybercrooks posing as banks to steal login information, and even retailers requesting alternate payment methods.”

Bolster, an anti-phishing and fraud company, said it detected more than 40 phishing and phony “lookalike” domains were created in the first 24 hours following the CrowdStrike incident.

“We have been watching the reality behind the CISA’s warning play out in real-time,” Abhilash Garimella, vice president of research at Bolster, said in a statement. “In the early hours of July 19, scammers began trying to lure victims into various scams. Within the first 24 hours, more than 40 typosquat domains were targeting CrowdStrike users and had been added to the CheckPhish site.”

CheckPhish is Bolster’s phishing and scam detection site.

No Surprise

Threat actors typically flock to major incidents and events to take advantage of the chaotic environment – and often the huge amounts of money changing hands – to run their scams, as seen with everything from high-profile political elections to Russia’s illegal invasion of neighboring Ukraine in 2022 to the Olympic Games in Paris, which kick off this week.

Given that, it’s not surprising that the CrowdStrike situation is drawing out the fraudsters.

“As we are currently observing, these types of incidents breed desperation that can be easily leveraged by attackers who utilize social engineering. This can show up in many ways,” said Brent Riley, COO of tech services firm Lyra Technology Group.

Lyra has seen phishing emails impersonating CrowdStrike support and spoofed websites offering CrowdStrike support, as well as cold callers pretending to be representatives of CrowdStrike or Microsoft, customer support scams, and phishing message sent via text from numbers impersonating CrowdStrike or Microsoft, Riley said.

Campaigns Target Latin Americans, Israelis

CrowdStrike and other cybersecurity companies, including Any.Run and ThreatMon, outlined a campaign targeting CrowdStrike customers in Latin America where a bad actor is distributing a malicious zip archive labeled “crowdstrike-hotfix” that contains the HijackLoader payload, a modular malware loader first detected last year that’s known to distribute such information-stealing malware as the Amadey trojan, Lumma Stealer, Racoon Stealer v2, and Meta Stealer.

In this case, HijackLoader is distributing RemCos, a remote access trojan (RAT) used to get backdoor access into a target’s system, CrowdStrike researchers wrote in a brief report. They noted that HijackLoader is “highly focused on evading detection.”

Threat intelligence company FalconFeeds reported on X (formerly Twitter) that Handala, a pro-Palestinian hacktivist group, launched a phishing campaign against CrowdStrike users in Israel to deploy wiper malware and spread fear.