‘CrowdStrike Phishing Emails To Get Worse Before Better’: HacWare CEO

‘Over the weekend, we saw about 50 new email domains that were purchased by cybercriminals to impersonate CrowdStrike,’ HacWare CEO Tiffany Ricks tells CRN.

Phishing emails have been circulating around inboxes after news of the CrowdStrike IT outage with scammers impersonating support teams to remediate the issue, and HacWare CEO Tiffany Ricks said the messages are “going to get worse before they get better.”

“Over the weekend, we saw about 50 new email domains that were purchased by cybercriminals to impersonate CrowdStrike,” Ricks told CRN. “We saw about 20 percent of them being used where they had landing pages or they were used in a phishing incident already. The remaining 80 percent have not been used. I believe that means they're going to be used in the future.”

HacWare, a New York-based cybersecurity training vendor that has a focus on phishing emails, has been tracking phishing activity over the weekend and has seen many emails linked to the CrowdStrike incident.

[Related: CrowdStrike-Microsoft Outage: Complete Coverage]

When a CrowdStrike software update caused IT outages across the globe last Friday, Ricks said she knew phishing emails would be used to target people in the ensuing mayhem.

“Cybercriminals have a normal area of opportunity that they're looking to exploit, and it's always when there's chaos and when there's uncertainty,” she said.

Over the weekend, both CrowdStrike and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) put out advisories about the phishing emails, how to spot them and where to report such emails.

“CrowdStrike Intelligence has since observed threat actors leveraging the event to distribute a malicious ZIP archive named crowdstrike-hotfix.zip,” CrowdStrike wrote in a blogpost. “The ZIP archive contain a HijackLoader payload that, when executed, loads RemCos. Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers.

“Following the content update issue, several typosquatting domains impersonating CrowdStrike have been identified,” the blog said. “This campaign marks the first observed instance in which a threat actor has capitalized on the Falcon content issue to distribute malicious files targeting LATAM-based CrowdStrike customers.”

Ricks said hackers are also targeting SMBs in a more sophisticated way. Instead of including ZIP files or links in the body of an email, hackers are attaching PDF files that contain links. “That's a little bit more disarming because you would expect a PDF that explains how to install a fix from your support team,” she said.

To help spread awareness and education about the phishing emails, she said MSPs should have a standard operation procedure for incidents such as this as well as a way to report phishing incidents.

HacWare has also published a guide to identifying and reporting phishing emails which includes communicating directly with support teams, inspecting email addresses and URLs and using DMARC (Domain-based Message Authentication, Reporting and Conformance) checkers.

“[MSPs] need to make sure that they arm their team, their employees and their clients with the information that they need with continuous testing to make sure that they're aware of how a cybercriminal could target them and get in their organization,” she said. “That's short form to make sure that they're prepared for when a cybercriminal does try to target their organization. We have to make it tough for them. Security awareness is not that sexy thing to do, but it's the most effective thing that they can do to protect themselves, their company and their clients.”