That was a close call. 100 kCHF. In three tranches. Invoiced to two different partner institutes. But with banking details that are not CERN’s. Due to, presumably, one unfortunate click. Due to a subsequently compromised email account. And the actions of criminals trying to extort money. Fortunately, vigilance on the payer’s side prevented any harm.
We have repeatedly published articles on “phishing” and the risks when browsing the web or opening emails. STOP – THINK – DON’T CLICK is still the mantra to follow. When receiving emails, WhatsApp messages or even SMSs with embedded links or attachments, or when photographing QR codes. But we are humans, ergo not perfect. And as our clicking campaigns of the past have shown, around 20% of us fail to spot a malicious email and go ahead and open it… Like in this real case. An example for us all of why it’s important to remain vigilant and careful!
Presumably, it all started with an unfortunate click. One click, which gave the attackers access to their innocent victim. With that access, and a plan already in mind, they trawled through the victim’s mailbox hunting for “juicy” stuff. Like emails they could monetarise on. And, bingo, they found invoices since this is their victim’s job: invoicing. Sending invoices to partner institutes and universities. Invoices that the attackers could use for their criminal deeds. To avoiding being spotted, they made sure that any future communication about their deeds remained hidden. So-called “mail routing rules” configured in the victim’s mailbox ensured that any criminal mails landed not in the inbox but in a folder hidden in the “junk email” compartment. Who checks their junk folder? The attackers even created a fake domain, “CERN-CH.COM”, in order to have an independent channel to monitor communication. With the scene set, they were ready to reap their rewards.
“We are suspending all transactions on our old accounts, due to internal audit and tax review.” That was the email sent to two, and only, two institutes on the victim’s behalf. Attached was the new invoice. Take a look at the new and the old invoices below. Can you spot the difference?
Indeed, the criminals tampered with the invoices and modified them in such a way that money would be transferred not into CERN’s bank account with UBS (“CH93”) but into their pockets in Spain (“ES02”). The trap would have worked if the other side – the payer who was supposed to settle the bill – hadn’t been vigilant and mistrustful. Fortunately, they were! But, as the criminals controlled the victim’s mailbox, initial questions raised by the payers were refuted by the criminals. They tried to convince the payer that everything was in order. That the invoices were genuine. That the new IBAN was valid. That the payers should just settle the invoice… Fortunately, again, the email back-and-forth added more people to the conversation, which triggered alerts on both sides. Enter CERN Finance. Enter CERN Computer Security. Full stop. For the criminals.
Further investigations revealed their machinations as described above. Fortunately, no damage was done. No other institutes were involved. And no more invoices were tampered with. The malicious domain “CERN-CH.COM” and the malicious IBAN “ES02” have been disabled by our partners in the security community and in law enforcement.
This episode shows, once again, why vigilance when opening emails, attachments or links is of the utmost importance – in particular when dealing with critical services, invoices and payments. Using, as happened in this case, a communication channel other than emails in order to check the validity of bank information changes, ideally with contact people who are already known and familiar, is definitely best practice. Also, using the four-eyes principle, whereby two people – two accounts – are required to validate invoices and payments is advantageous. Finally, and more generally for anyone dealing with sensitive emails and critical services, the planned deployment of two-factor authentication (“2FA”; “Log in. Click. Be secure”) would also have helped, as this would have stopped the victim’s account being compromised in the first place. Hence, once more, STOP – THINK – DON’T CLICK!, and consider joining the 2FA pilot. Just drop an email to Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.