Active phishing campaign abusing CrowdStrike incident

Within hours of a widespread IT outage on Friday, numerous new domains began appearing online, all being variants of the name CrowdStrike, the company at the heart of the global tech disruption that delayed flights and disrupted emergency services.

In a statement on Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) clarified that the CrowdStrike outage was not linked to a cyberattack or malicious activity. However, CISA noted that "threat actors are taking advantage of this incident for phishing and other malicious activities."

Numerous domains were registered, including names like crowdstriketoken.com, crowdstrikedown.site, and crowdstrikefix.com, aimed at deceiving affected individuals and businesses. Attackers impersonate CrowdStrike support and offered fake recovery solutions to extract money or to inject malware.

As usual, customers should not click on phishing emails or suspicious links to prevent email compromises and other scams. CrowdStrike's CEO George Kurtz urged affected customers to communicate only through official CrowdStrike channels. The company published a list of 30 domains impersonating its brand and warned about phishing emails and phone calls from imposters posing as CrowdStrike support.