At the end of June, CERN saw yet another phishing campaign against its staff and users. About 21 000 owners of a CERN mailbox received e-mails from "Sonia Abelona", "Michel Dutoit", "Ralf Brant", "Federico Campesi", "Anne Darenport-Smid" or "Andreu Tomanga", on topics related to "contract amendment", "pension fund balance situation", "confidential covid-19 report" and "new teleworking rules". All e-mails stemmed from either “CERN.COM”, “CEM.CH” or “CERM.CH”. And all of them contained a link, either directly in the body of the message or in an attached PDF or Word document, pointing to a fake CERN login page hosted outside the CERN.CH domain (note the “220.127.116.11” at the top).
Entering a CERN account name and a password into that fake login page would have put the Organization at risk and your private life at peril, giving access credentials to malicious evildoers for their malicious deeds (see our Bulletin articles on “Blackmailing Academia: back to pen and paper(?)” and “What do apartments and computers have in common?”).
In the wild world of evil, there are groups of criminals such as “SilentLibrarian” that do exactly this: targeting universities, companies and organisations with well-crafted, malicious e-mails in order to infiltrate their networks, gain access to their computing resources and extract confidential information. With sufficient preparation and reconnaissance, and given the human nature of being curious, this “social engineering” is easy as pie… unfortunately. Luckily, this time, these malicious e-mails were part of the CERN Computer Security team’s annual phishing campaign. The attachments were benign and the fake login page did not accept passwords at all. CERN passwords were not collected or exposed during this campaign. So no harm done, but lots of disturbing lessons learned.
Disturbing “Game Over” #1: 10%* of all recipients did not recognise the fake login page. The wrong web address (URL) at the top. That implies that 10% of CERN accounts would have been compromised. We deem that about 90% of those accesses came from teleworkers. Hence, in nine out of ten cases, there are no means for our computer security detection to spot this… it all happened outside CERN. The ultimate silver bullet to protect CERN against such a loss is the deployment of multi-factor authentication, which will be introduced in the coming months (see our Bulletin articles on “A second factor to the rescue” and “Protecting the accelerator from remote evil”).
Disturbing “Game Over” #2: Even just opening the attachment (18%!) created a risk to the computer used to open it. If the document had been malicious, it could have easily compromised the local computer. Game Over! In particular, in times of teleworking, the security measures deployed at CERN would not have helped… So it is of the utmost importance that your own personal PCs and laptops at home are always automatically updated and run an up-to-date antivirus solution. In the future, the CERN IT department might offer you a sophisticated anti-malware and EDR (Endpoint Detection and Response) solution for enhanced protection.
With those two disturbing facts – if this had been a real attack – CERN accelerator and experiment operations, sensitive HR and financial data and computer centre services would have been put at imminent risk…!
Encouraging fact #1: Within the first five minutes of the campaign, the Computer Security team received notifications of this campaign going on. Such quick alerts are essential to raising our defences and protecting, at least, devices and accounts from within CERN. We could have even gone so far as to purge the malicious e-mails from individual inboxes (a task we usually avoid, given privacy implications).
Encouraging fact #2: In total, we received more than 800 SNOW tickets on the subject, which implies that our awareness raising is working for many! 80% didn’t open the attachment or follow the link. 90% didn’t enter their account name. Well done, guys!!!!
So how can you help to protect your private life and CERN as an organisation? First, be vigilant. Be hesitant. Be suspicious. STOP – THINK – DON’T CLICK!!!
- Check once more our hints on how to best detect fraudulent e-mails and fake login pages;
- Test yourself on those nice external training pages: https://phishingquiz.withgoogle.com/ and https://www.phishingbox.com/ phishing-test;
- Help us deploy a two-factor authentication solution; and
- Deploy a decent anti-malware solution on your home computers.
*In detail: More than 30% of all 21 083 recipients opened the e-mail for further inspection. 18% opened the PDF or Word doc attachment, if present. One quarter followed the embedded link to the fake login page. About 12% did so when that link was hidden within the PDF/Word doc. And an astonishing 50% of those (i.e. 10% of all recipients) tried to log into the fake login page with their CERN account name…
The numbers split by department will be made available to the corresponding department heads and our computer security contacts within each department.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.