{"id":4655,"date":"2024-07-25T17:25:55","date_gmt":"2024-07-25T22:25:55","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=10409"},"modified":"2024-07-25T17:25:55","modified_gmt":"2024-07-25T22:25:55","slug":"lets-be-careful-out-there","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/07\/25\/lets-be-careful-out-there\/","title":{"rendered":"Let\u2019s Be Careful Out There"},"content":{"rendered":"<h3>Co-authored with Christopher Kim, Infoblox Threat Intelligence<\/h3>\n<p>It\u2019s impressive (and a little discouraging) to see how quickly the bad guys capitalize on current events. In the wake of the worldwide Windows outage caused by a bug in CrowdStrike\u2019s software, opportunists have registered many lookalike domains. For a complete list, please see the Infoblox Threat Intelligence Github repo, <a target=\"_blank\" href=\"https:\/\/github.com\/infobloxopen\/threat-intelligence\/tree\/main\" rel=\"noopener\">https:\/\/github.com\/infobloxopen\/threat-intelligence\/tree\/main<\/a>. Here\u2019s a summary:<\/p>\n<ul>\n<li>Between July 19th and 23rd, we detected 194 CrowdStrike lookalike domains.<\/li>\n<li>Of these, 60 are likely used in phishing campaigns.<\/li>\n<li>27 are likely used in other malicious activities.<\/li>\n<li>Four are likely used in spam operations.<\/li>\n<li>57 were set up defensively (that is, registered with CSC Corporate Domains for brand protection purposes).<\/li>\n<\/ul>\n<p>To give you an idea of the nature of these domain names, here\u2019s a screen shot from the web site fix-crowdstrike-apocalypse[.]com:<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/lets-be-careful-out-there.png?w=640&#038;ssl=1\"><\/p>\n<p>This site advertises a (probably fake)<sup>1<\/sup> program that can restore Windows computers that have been affected by the outage, and offers two methods of payment, Bitcoin and Ethereum. <\/p>\n<p>These numbers\u2014over 90 malicious domain names registered in a few days\u2014highlight how important it is to exercise caution after a major event like the CrowdStrike-induced Windows outage, but also what an important role DNS-based security can play in protecting your users and infrastructure: Infoblox\u2019s algorithms flagged these lookalikes in real-time, categorized them into malicious, suspicious and benign, and added them to our threat feeds to prevent our customers from becoming victims. <\/p>\n<h3>Footnotes<\/h3>\n<ol>\n<li>While we haven\u2019t bought a copy, we suspect the advertised product isn\u2019t a legitimate repair tool: Based on its registration information, the domain name isn\u2019t affiliated with CrowdStrike, and the registrant chose an anonymous DNS provider, which is consistent with malicious activity.<\/li>\n<\/ol>\n<p> <a href=\"https:\/\/blogs.infoblox.com\/threat-intelligence\/lets-be-careful-out-there\/\">Infoblox Original<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Co-authored with Christopher Kim, Infoblox Threat Intelligence It\u2019s impressive (and<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[48,2350,1945,2419,60,1200,212],"tags":[56,2354,1950,2420,67,1124,214],"class_list":["post-4655","post","type-post","status-publish","format-standard","hentry","category-bloxone-threat-defense","category-crowdstrike","category-infoblox-threat-intel","category-lookalikes","category-phishing","category-rpz","category-windows","tag-bloxone-threat-defense","tag-crowdstrike","tag-infoblox-threat-intel","tag-lookalikes","tag-phishing","tag-rpz","tag-windows"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Infoblox","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/infoblox\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/bloxone-threat-defense\/\" rel=\"category tag\">BloxOne\u00ae Threat Defense<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/crowdstrike\/\" rel=\"category tag\">CrowdStrike<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/infoblox-threat-intel\/\" rel=\"category tag\">Infoblox Threat Intel<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/lookalikes\/\" rel=\"category tag\">lookalikes<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/phishing\/\" rel=\"category tag\">phishing<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/rpz\/\" rel=\"category tag\">RPZ<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/windows\/\" rel=\"category tag\">Windows<\/a>","tag_info":"Windows","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4655","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4655"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4655\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4655"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4655"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}