Microsoft-Crowdstrike IT outage triggers wave of phishing attacks

Governments worldwide and cybersecurity agencies have warned enterprises to be wary of digital phishing scams following the Microsoft-Crowdstrike outage last week. 

On July 18, a flawed software update from cybersecurity firm Crowdstrike to Windows computers resulted in a catastrophic global outage of systems. Microsoft on Saturday said, an estimated 8.5 million Windows devices were impacted by this outage that affected IT operations, the aviation industry, and banks, among others. Both Microsoft and Crowdstrike have issued guidelines on dealing with the incident, which may even include physically fixing the systems.

Amid the outage, CrowdStrike has released a blog post reporting that malicious actors are exploiting the situation as a "lure theme." Users have received phishing emails and phone calls from individuals posing as CrowdStrike support representatives. In some instances, adversaries are masquerading as independent researchers, claiming to provide remediation insights. Phishing, a type of cyberattack, involves using deceptive emails, text messages, phone calls, or websites to trick individuals into sharing sensitive information, downloading malware, or becoming victims of cybercrime.

The Australian government has also reported that bad actors are exploiting the crisis to scam the public. “We are seeing some reports of phishing attempts related to the recent incident,” said Home Affairs Minister Clare O’Neil. She noted that small businesses, in particular, are receiving emails requesting bank details to facilitate a reboot to fix the issue.

Similarly, the UK Cyber Security Centre has observed an increase in phishing attempts surrounding this event.

“Consider any large event, whether positive or negative — be it elections, the Paris Olympics, festivals, or IT outages — these events capture the attention of the masses. Phishing involves exploiting such widely-discussed events to send emails/SMS entice individuals into clicking on malicious links,” said Sundareshwar K, Partner & Leader — Cybersecurity, PwC India.

Several domains referencing CrowdStrike have been registered since Friday and many of them could be used for adversarial purposes. Crowdstrike has listed about 30 domains that have been used in the scams so far.

“CrowdStrike is a case study of what a wrong patch could mean in terms of business continuity. That said, given the large-scale outage, we are at risk of getting too conservative before applying patches,” said Ashish Tandon, founder and CEO, Indusface. “In the quest of ensuring business continuity, I hope that the security leaders do not compromise on security best practices. A successful exploit could mean data theft, compliance penalties, and ransom demands in addition to the loss of business continuity and customer trust.”

Tandon added that there has been a triple-digit growth in application layer attacks compared to last year, and there is evidence of novice hackers using readily available scripts to target known and zero-day vulnerabilities.

To protect enterprises from such vulnerabilities, companies must verify source of each communication before acting on it, be aware of the tactics that create a necessity to act quickly and report any suspicions to the relevant authorities, suggests Harshil Doshi, Country Director — India, Securonix. “For future safety reasons, organisations should invest in advanced behaviour analytics solutions that monitor users’ transactions around critical assets. Deploying pre-emptive threat detection and response technologies can prepare enterprises to deal with the dangers associated with digital security.”

According to security firm Zscaler’s 2024 Phishing Report, there has been a near 60% increase in global phishing attacks compared to the previous year, driven by advanced generative artificial intelligence (AI)-driven schemes like voice phishing and deep fake phishing. Notably, India emerged as one of the top three targeted countries, experiencing over 79 million phishing attacks in 2023.