In late June, CERN was subjected to a wave of seemingly targeted e-mails containing a potentially malicious PDF or DOC attachment. Opening those attachments and eventually following the embedded links could lead to your computer being compromised. However, this time, fortunately, these e-mails were part of the annual e-mail awareness campaign…

The e-mails sent by "Anne.Darenport-Smid@cern.ch", "Federico.Campesi@cern.org", "Michel.Dutoit@cern.com", "Ralf.Brant@cerm.ch" and "Sonia.Abelona@cem.ch" were based on real malicious attacks against the Organization earlier this year. Back then, the e-mails contained a very short, rather generic text, along with a Word or PDF attachment. Opening that document would have started an unfortunate malicious chain of action against your computer, eventually leading to it being fully compromised. And with that, your professional life and even your and your family’s private life (see also “Protect your family”) would have been compromised. Worse, in those real attacks, the attackers were using the e-mail addresses of real CERN group leaders and sending their messages just to members of those leaders’ groups. Easy as pie, as CERN is quite open: many organigrams are public (just search for “organigram site:cern.ch”); as is the CERN phonebook and its advanced search feature, so filtering for members of a particular group is easy. And something else that is easy as pie: the e-mail protocol allows you to spoof any sender (just like you can easily spoof the name on a snail mail envelope, put a stamp on it, and – albeit not very cheaply! – “spam” any recipient). So there it is, your targeted attack on the group of your choice… Fortunately, then, our e-mail filtering systems detected those malicious attachments in good time and prevented any havoc…

Based on those attacks, the CERN Computer Security Team sent similar e-mails to about 22 000 owners of CERN e-mail addresses, all within the space of 90 minutes. The sender addresses, i.e. "Anne.Darenport-Smid ", "Federico.Campesi", "Michel.Dutoit ", "Ralf.Brant" and "Sonia.Abelona" (all fake, of course), sending domain ("cern.ch", "cern.org", "cern.com", "cerm.ch" and "cem.ch") and the contents (“your input to our results”, “report on pension fund balance situation”, “confidential design report”, “new IT security measures”, “your 2019 contract amendment request”) were randomly assigned. In addition, half of the recipients got an e-mail with a Word .DOC attached, the other half one with a PDF. In both cases, the documents were literally empty: the Word document claimed to be “created in a different version of Microsoft Office Word.” and stated: “In order to view this document, please click the “Enable editing” button on the top bar and then click “Enable content”” – a technique to bypass Microsoft Office’s basic protection mechanism. To no avail, as that document also offered the option to “View document online” – leading to a page controlled by the attacker and certainly not hosted by “Microsoft.com”. The PDF just asked users to “Please click the link below to access your PDF document.” – leading to a similar page to the one used for the Word document.

Empty or not, however, it doesn’t matter. Just by opening the document, you would have put your computer, laptop, tablet or smartphone at risk (“I love you”) – and, indeed, 17% of all recipients did (21% for the DOC; and more than 14% for the PDF). By clicking on the embedded link, the chances of your device being compromised would increase even more (“Curiosity clicks the link”). In total, 10% of people managed to ignore all the security features (e.g. clicking "enable macros" in Word or following the link in the attachments) and reached our dedicated information page. By this point, their device would have been compromised. Lucky for them that this was “just” an awareness campaign. Looking in more detail, the attachment on “your 2019 contract amendment request” generated more clicks (i.e. 24% opened it), while the “confidential design report” and the “new IT security measures” were more likely to be ignored (15% each). Also, people spotted the malicious domains “cerm.ch” and “cern.org” easily and refrained from opening the attachments (only 15% and 17% did, respectively), while the “cern.ch” domain of course looked legit and led 20% to open the attachment… And in terms of the different departments? The trophies go to the FAP department and the Pension Fund, whose click rates were way below average. Well done, folks! For everyone else, next time, beat them: STOP – THINK – DON’T CLICK should be your mantra, in particular for e-mails which look weird, come from unknown sources, contain blatant typos, or are just not really relevant to you… Hints on how to spot this kind of malicious e-mail can be found on our computer security pages. And if you spot such a malicious e-mail, forward it to us. Once we know about them, we can block the malware from being downloaded and thus protect everyone at CERN. In this particular campaign, it took just a few minutes until the first alerts were received by the Computer Security Team. Blocking would have dropped the click-rate to below 2%, unless you happen to click on the link outside the CERN network – a location where we can’t provide any protection…

_______

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.