What do “Daniela.Wick@cern.ch”, “Kris.Avandal@cern.ch”, “Magnus.Fallbaum@cern.ch”, “Petra.Kosmanen@cern.ch”, “Ron.Waitmal@cern.ch” and “Stephanie.Porasky@cern.ch” have in common? No, they aren’t members of the personnel even if they pretend to have a CERN email address and their names sound similar to those of some of our colleagues in the CERN Computer Security team. No, they have no business with CERN at all, even if their email messages claim otherwise. And no, they are not trustworthy, as they tried to steal your password. Welcome to the annual clicking campaign, revised.
22 731 emails were sent out on 1 August purporting to come from one of the made-up email addresses above, presenting you with an important message on your “New voicemail from +41792231243” or the “Update on your invoice”, concerning your “Office 365™ Subscription” or your “Signed contract”, asking you for “Action Required”, or just sending you the latest “COVID 2022 Report”. 22 731 emails, one to each CERN email address assigned to a member of the personnel owning a CERN mailbox. Each email trying to lure you to click on the embedded link, which, if clicked, presented you with a login page ready to accept your username. And, for those who made it that far, asking for your CERN password… For those who took that last step, BOOM! Not only did you put your device and your digital life at risk when clicking on the initial link, by handing over your CERN password to a malicious website you opened the door to fraud and sabotage. Once again, remember the mantra “STOP – THINK – DON’T CLICK” before opening attachments or unsolicited links – they might bring nasty surprises. And remember that your password is yours and yours alone and should only make it into CERN’s old and new single sign-on (SSO) pages. Anything else could wreak havoc – on CERN’s operations, finances and reputation.
But not this time, fortunately, as the emails were part of our annual campaign on cybersecurity risks and the dangers of (sophisticated or not) unsolicited emails. Still, the reaping was sadly fruitful. More than 1800 people clicked and fell into the trap by entering their username in the fake SSO page and trying to enter their password, too. 1800 accounts. If that had been a real attack, they would now be in the hands of an attacker. 1800 accounts available to spam the world through CERN’s email system, abusing CERN’s computer centre for cryptocurrency mining, downloading costly journals and scientific papers from CERN’s digital library, extracting (confidential!) data or documents from our storage systems, stealing money from the CERN treasury or sabotaging the operations of CERN’s accelerators or experiments. There is still room for improvement. There is still some room at the top.
Hence, look out for these things:
- Is the sender familiar to you? Note that email addresses, including those terminating with CERN.CH, can easily be spoofed.
- Do the message contents make sense to you? Is it related to your professional or private life? Is it relevant to you, did you expect it? Is it written in a language you understand, reasonably clearly and understandably? If you don’t have a subscription with “Deutsche Telekom”, then the invoice is likely not for you; the same goes for the delivery notification for a UPS package when you haven’t ordered anything.
- Hover your mouse over any link. Does the link start with HTTP(s)://[SOMETHING].CERN.CH before the next /? (Yes, this is tricky – if the URL confuses you, better check with us at Computer.Security@cern.ch)
And, finally, the silver bullet against account abuse. Complement your password by protecting your account with a so-called second factor: your mobile phone or a hardware token. When logging in (about twice per day), you would be asked as usual for your password but also to provide this second factor. A simple number generated by a smartphone app or hardware token. This two-factor authentication (2FA) is the silver bullet for account protection, as the attacker now needs to not only phish your password by the aforementioned means, but also steal your smartphone (or hardware token) – and we all know always where our smartphone is, don’t we? So, give it a try and check out how to obtain and manage 2FA here.
In short, please help us reach the top. Enable 2FA for your account, remember STOP – THINK – DON’T CLICK and check for malicious emails using the following tips:
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.