Failed. We all failed spectacularly! We’re talking about the latest annual phishing campaign conducted by the CERN Computer Security team. Like last year, every CERN staff member and user received a fake message posing as a malicious attempt to convince them to click on the embedded link. Already clicking – and about 22% of recipients clicked! – put the corresponding device (and CERN) at risk, and the subsequently displayed fake login pages would have done the rest – more than 7% of recipients tried to provide their password (fortunately that fake login page didn’t accept passwords for privacy reasons). If it had been for real: device gone, password gone, CERN gone – see our Bulletin articles on “Ransomware” and the risks for CERN: “What do accelerators and pipelines have in common?”, “Blackmailing Academia: Back to pen and paper(?)” and “Blackmailing Enterprises: You are Patient Zero”.
On the plus side, hundreds of colleagues spotted the trap and reported their fake phishing email to the Computer Security team. Many more simply ignored the email, as the contents (“Contract amendment”, “COVID-19 internal report”, “Fund balance – confidential”, “X has shared a file with you”, “Teleworking Reminder”, “Updated vaccine schedule”, or “Your travel arrangements”) did not concern them. Some people cross-checked the sender names in the CERN Phonebook where, indeed, Sean Luggers, Sebastien Lodevinski, Luigi Valnese, Ramon Warze, Anne Longshire, Nikolae Fridilidis, Adriana Do Montes and Danielle Pecheur do not appear and, hence, do not seem to work for CERN (some of their namesakes, however, work for the Computer Security team). Others wondered about the embedded link that, while being labelled with “documentstore.cern.ch”, “hr.cern.ch”, “pf.cern.ch” or “covid-cern.ch”, actually pointed to either the domain cern.CG of the Republic of the Congo, or to the IP address 220.127.116.11. And there we go. The truth lies in the URL!
While judging the relevance of the email itself based on typos or any other anomaly, or checking for names in the address book, is good practice (see our recommendations), these methods aren’t foolproof. Attackers are trying their very best to perfect the spoofing of their malicious emails. Given that lots of information about CERN, CERN projects and current news is public, it’s easy to come up with increasingly targeted and sophisticated email messages – messages that anyone who isn’t vigilant would fall for*. And given that many of our names are published on one webpage or another, sending malicious emails using real CERN names would not have been a problem for attackers. The email protocol allows that – just as you can write any sender name on the paper envelope of your letter, you can fake any email sender address you wish. Easy-peasy.
So, the best way to spot malicious emails is to check the web address that a link would lead you to. The truth lies in the URL, the uniform resource locator, pointing to the real internet contents. The displayed text is all hollow words. “documentstore.cern.ch”, “hr.cern.ch”, “pf.cern.ch” or “covid-cern.ch” are just inventions. The truth lies beneath. In the URL. STOP—THINK—DON'T CLICK!!! Hover your mouse pointer over those hollow words, those duplicitous links, and the pop-up tooltip will reveal their truth, reveal the true destination.
The same holds true for any embedded link in WhatsApp messages, tweets, Facebook posts and Instagram threads. STOP—THINK—DON'T CLICK!!! It’s hard, but it’s still better than getting your device infected and compromised. Only if it’s cern.CH (for Switzerland) or home.CERN, is it us. If the pop-up looks dodgy, weird or unexpected or has contents differing from the displayed text, hold fire. Be vigilant, be sceptical. Better check with us first at Computer.Security@cern.ch. For the sake of your device’s security, and for the security of the Organization!
Finally, and in particular, check the CERN login page before typing your password. The two valid Single Sign-On (SSO) pages for CERN are “login.cern.ch” for the old and “auth.cern.ch” for the new SSO webpage. Every other URL is fake, bad, malicious and should be reported!!! Alternatively, use a password manager. It will prompt you to fill in your password ONLY on the CERN domain, so if the password manager suddenly refuses to enter your password, something may be majorly off...
*Even we could have done better with our campaign. But it’s a slippery slope, as some companies discovered with their tests (see here and here).
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.