The Godfather neutralised, but malware mafia alive and kicking
malicious domains and phishing campaigns, in the aftermath of the global outage triggered by faulty software from CrowdStrike in July, are still actively pretending to seek feedback from impacted companies, cybersecurity experts said.
Cybercriminals were quick to exploit the chaos caused by the CrowdStrike crisis and send remote access or data wiper malware through phishing emails, which are then used as a ransom tactic.
Nearly 37,000 employees of top 350 global organisations have fallen prey to these phishing campaigns — termed as ‘Reap Blue Screen’ — and given away sensitive details, according to data from cybersecurity firm Cyfirma.
The malicious domains include crowdstrikefixer[.]com, crowdstrikehelp[.]com, pay[.]crowdstrikerecovery[.]com, britishairways[.]crowdstrike[.]feedback.
Links to these domains were forwarded through thousands of emails, enticing frenzied employees to pay for the return of their systems using GPay or debit cards.
Cyfirma has detected 900 such domains created since July 19, when the outage grounded airlines and brought several workplaces, hospitals, train stations and banks to a standstill.
“We observed malicious domains mushrooming in large numbers, registered with untrustworthy hosts (and) with domain lookalikes to CrowdStrike,” said Kumar Ritesh, founder of Cyfirma, who believes the motive is to exploit the fear among IT managers scrambling to find a solution to the global glitch.
“Cyfirma has just begun scratching the surface. Of the 450 domains that we have analysed, nearly
