After our Bulletin article entitled “Curiosity clicks the link” at the end of February, our annual “clicking campaign” followed on one month later. Based on e-mail templates created by students of the University of Rotterdam, using only information they were able to find on CERN’s public webpages, 20937 “suspicious” e-mails were sent, to everyone with a CERN e-mail address. Many reported these malicious mails to us immediately, a few detected them as our awareness campaign, and some recipients clicked…
Are you still curious? Learn from examples of “Phishing mails” provided by a “David.Marquinais @ cerm.ch”; verify your e-mail address for “CERN Lightweight Account verification” (“support @ cern.com”); check out your account for the “Cern Pensions update” sent by “head.office @ cem.ch”; or answer the “CERN Students & Educators evaluation email” from “outreach @ cem.ch” in order to comment on their new website… Yes, many sender addresses do not make sense. “David Marquinais” as “Head of User Support” and “Fabien Delacroix” as “Head of CERN” do not exist at CERN. Neither do “cern.com”, “cem.ch” (which looks like “cern.ch” when displayed in small fonts). CERN only uses “cern.ch” and “.cern” (dotCERN). If you read the corresponding mail bodies, the embedded links look weird and have no apparent ties with CERN. But this is what the malicious evil-doers (in this case the students from Rotterdam) try to do: to lure you in believing the mail is genuine. To make you click. To fall for it. To fail.
Clicking had no negative consequences… this time. But in reality, with real malicious e-mails, with one click, your computer would have been lost. Infected. Compromised. With one click, the malicious evil-doers might be able to install software on your Windows PC/laptop or Macbook (less likely on Linux systems), which register every keystroke you make in order to figure out passwords to your Facebook account, your Twitter feed, to access CERN or for accessing your bank details. Attackers will enable the webcam and the microphone in order to spy on you. They will download your documents, encrypt them in order to obtain money from you, and if you don’t comply make those documents public. Game over.
Luckily it was just a clicking campaign this time, as we would have had a “game over” for 15.2% of the recipients. 15.2% clicked on the embedded links. Their compromised Windows PCs/laptops or Macbooks would now pose a threat to the Organization. Compared to previous years, this is a decrease from 18.7% in 2017 (16.5% in 2016). Other industries have reported similar “click rates”. But in the end, the number doesn’t really count, as the “click rate” scales with the level of sophistication of the e-mail. Targeted and well-engineered e-mails are harder to spot, and the “click rate” would be higher. Also, to be fair, many people informed us immediately after they received a suspicious e-mail. Thanks to them, we would have quickly been able to block any malicious website, URL or e-mail. Thanks to them, we would have been able to warn others. Of course, this time we let it go. But in reality, a quick heads-up send to us at Computer.Security@cern.ch can crucially help to secure CERN and minimise impact.
Hence this awareness campaign, helping you to identify strange e-mails early, be more vigilant, and avoid clicking before you lose your private data. And before you give the malicious evil-doers access to CERN. Just be reasonable. While it is difficult to protect yourself from the more sophisticated and targeted e-mails, protect yourself against the “easy” ones. It is like in the real world. If a stranger offers us, for example, a small bag of white powder and asks us to carry it across the border, we decline and walk away, don’t we? It’s the same in the digital world: if an e-mail, its sender, its context, the language, the way it is phrased, the embedded links and URLs, etc. look weird to you, just do not click. Delete it. Or, if in doubt, send it to us for verification. If it looks malicious, give us a heads-up!
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.