The number one vector for getting your computer compromised, your password disclosed, your data exposed and your digital life screwed up is social engineering, i.e. manipulating you in a way to make you trust an e-mail, a web URL or attachment, and lure you into clicking on a malicious link. One click and it’s game over!
Indeed, we have covered the risk of browsing the web (remember “STOP – THINK – DON’T CLICK”?), malware and drive-by downloads as well as phishing in various recent Bulletin issues. In many cases, the primary attack vector boils down to convincing you to click on a malicious link (or open a malicious attachment). In today’s teleworking world, a nice new evil path opens up: malicious video-conferencing invitations…
Collaboration in teleworking times requires us to use one or more different video conferencing tools. Skype. WebEx. Teams. Vidyo. Zoom. You name it. Scheduling of the corresponding meetings usually proceeds via e-mail and calendar invitations, like the one below. Looks familiar, no?
As with any other e-mail, the ultimate truth of this calendar invitation depends on many factors: the sender’s name, the sender’s e-mail address, whether or not the e-mail has been digitally signed, the message text and contents, typos, language, social hook and level of intimacy, etc. If this overall “package” looks reasonable to you, you will trust its contents and follow up. And if this is a sophistically crafted but evil message, you might fall for the trap and click the malicious link. Check the example above again! The link is indeed malicious and the meeting is not on CERN’s default Zoom instance at cern.zoom.us… Instead, the link leads you to cern.zoom-us.aws-e4dfa2f4.com, which has nothing to do with Zoom nor with CERN, and which might not even host teleconferencing software, but is solely intended to infect and compromise your device. With just a few clicks: game over!
So, once again, hold on a second. Check your e-mail/invitation thoroughly. Did you expect it? Does the subject concern you? Do you know the sender? Is the content in a language you understand? Hover your mouse pointer over the provided URL: does the tool-tip, the little pop-up box, correspond to the link displayed in the message? Does it point you to CERN’s cern.zoom.us instance (i.e. http://cern.zoom.us/j/NNN) or to an external Zoom instance known to you, to CERN Vidyo (like https://vidyoportal.cern.ch/join/XXXX) or any other valid teleconferencing portal (definitely hard to tell!)? If you have answered “no”, watch out! STOP – THINK – DON’T CLICK! Contact the meeting organiser to cross-check, ideally via another channel than e-mail, or get in touch with Computer.Security@cern.ch. We are here to help you.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.