ACFE Insights Blog

Exploiting Chaos: How Fraudsters Capitalized on the 2024 CrowdStrike Falcon Sensor Outage

On July 19, 2024, CrowdStrike pushed out an update to one of its programs, a vulnerability scanning tool called Falcon Sensor, that contained a significant bug. For computers running on a Microsoft Windows operating system, this faulty update caused the computer to crash. 

By Samuel May, CFE August 2024 Duration: 4-minute read
Please sign in to save this to your favorites.
CrowdStrike is an American cybersecurity company that provides security software products, threat intelligence and cyberattack response services. Founded in 2011, CrowdStrike grew quickly and had its initial public offering on the Nasdaq in June 2019. By 2024, CrowdStrike had yearly revenues in the billions from their software products serving corporations the world over. 

The Outage 

On July 19, 2024, CrowdStrike pushed out an update to one of its programs, a vulnerability scanning tool called Falcon Sensor, which contained a significant bug. For computers running on a Microsoft Windows operating system, this faulty update caused the computer to crash. The systems would then be unable to reboot successfully, continually running into errors in the Falcon software and rendering the computer inoperable. Microsoft would later estimate that approximately 8.5 million devices were directly affected. Organizations across all variety of industries lost access to critical systems, including airlines, public transit systems in multiple cities, hospitals and clinics, financial institutions, and media outlets around the world. The total global cost is estimated in the billions of dollars. It is the largest information technology (IT) outage in history.  

CrowdStrike purportedly identified the issue and deployed a fix within hours. Unfortunately, restoring individual computers required hands-on implementation, manually booting affected systems and remedying the issue. While most critical systems were repaired within a day, some organizations took significantly longer to fully recover.  

The Opportunity 

Despite the rapid response time and the availability of solutions directly from CrowdStrike and Microsoft, fraudsters smelled an opportunity. As is always the case with disasters, outages, tragedies and other well publicized events, malicious actors will find ways to try to take advantage of people already in distress. Easy similarities can be made to COVID pandemic fraud, natural disaster scams or even tax season fraud (which may not be a traditional disaster, but certainly results in many distressed citizens).  

CrowdStrike recovery scams started immediately. In the days following the outage, CrowdStrike itself released information on identified spear phishing attempts. The company also released information on general malicious activity surrounding the event.  

Fraud examiners will recognize these commonly used attacks: malicious emails, scam phone calls and fake websites targeting companies reporting outages and their employees. Fraudsters posed as technical support or CrowdStrike staff offering refunds or remuneration for losses caused by the outage. The well publicized outage gave fraudsters an easy list of targets. As organizations added themselves to the growing list of businesses and government agencies that were temporarily unavailable, they were also painting themselves, and their customers, with targets. 

Emails were sent to known corporate addresses with malicious attachments. The emails posed as CrowdStrike, Microsoft or other technical support staff sharing important recovery information. An attached PDF promised to contain the method to restore crashed systems, or a download link promised to install a program that would protect as-yet unaffected systems. Websites were created within hours of the first major outage reports, using URLs similar to real CrowdStrike websites to steal information from unwary users or to host malicious software posing as solutions. Fake CrowdStrike social media sites cropped up, linking to malicious websites or asking for users to message the fraudsters posing as support through the social media platform.  

While not as directly connected, frauds and scams targeted at customers of businesses affected by the outage also see an increase. For example, airlines affected by the outage began issuing refunds to customers whose flights were cancelled. Fraudsters posing as the airline, aware of the outage, identify customers on social media posting about delays, cancellations or venting their frustration in the public forum. The fraudster then provides links to fake websites, fake social media accounts or phishes with targeted emails, phone calls or instant messages, convincing the customer their refund is just a few clicks away, they just need to provide their credit card information to process the refund.  

The Takeaway 

These kinds of events are inevitable, and fraudsters will always look to take advantage of them. Unfortunately, even with sound and consistent anti-fraud training for organizations and individuals, disasters and stress limit our attention to detail and make us more susceptible to hasty actions. Fraud examiners must stay ahead of the wave, reacting to situations appropriately with timely reminders to remain cautious and to look for solutions or assistance through secure channels. These scams are usually quick and dirty, so remind staff, friends and family of their traditional cyber security scrutiny: check the URLs, email addresses and usernames and avoid clicking links or downloading attachments. It is easy to do on a well-caffeinated, calm morning at the office, but significantly harder when you are stranded after a flight cancellation, your bank’s website is down, and you are hastily scrolling for solutions.  
Topic:
Tags: