Computer Security: Phished

In mid-November, CERN was subjected to another phishing attack that tried to lure people to open a malicious link and provide their CERN credentials on a fake CERN Single Sign-On page. While many of us detected and reported the scam, unfortunately up to 11.2% fell for the bait and potentially exposed their password. But, luckily for them, this was just an exercise…

So what did these phishing emails look like? Like any other "standard" package of spam and scam emails that the CERN mail filters block on a daily basis, they looked innocent enough. Simple. Maybe credible. Or not, as they could all also be recognised as dodgy, weird, suspicious or just not for us. They all came from a non-CERN domain, as can be seen in the "From" field of the email: "cofeesuppli3r.you", "365mailserv.bk", "kern.bz", etc. Their message text resembled the "standard" spam. In fact, standard spam mails were used as inspiration for the exercise. And the embedded links did not actually point to the CERN SSO ("auth.cern.ch") but to external URLs like www[.]hrsupportint[.]com or www[.]doctorican[.]de. Find below six screenshots of the "malicious" emails:

Would you have fallen for and clicked on any of them? Interestingly, of those who did, the "CERN password expires today" from "Pauline Cuvitrina" got the most clicks (50%), followed by the "important update on contracts" (31%) from the "Secretary service" and "DHL" (14%) from "Saniu Walliv", while just a few people were convinced to have "earned a free coffee" or had an "MS365 Emails problem"(1). Below you can see the distribution per subject and the click rates per department.

The average click rate was about 6%, with variations up to 11.2%(2), but still all in the same ballpark given the statistical error. Actually, one can create any click rate as the rate depends largely on the sophistication of the message text: in another exercise, the CERN Computer Security Office succeeded in getting a click rate of more than 80% from about 120 IT specialists attending an IT conference who were invited by a fake email to "Download your voucher for a free beer in the hotel lobby here".

While our spam filters and the recently concluded roll-out of two-factor authentication should already provide sufficient protection and usually detect and block such emails, defence-in-depth is better. "Security" is like Swiss Emmental cheese: you need several layers to cover all holes. Hence, next time, before you are tempted to click, please remember: STOP - THINK - DON'T CLICK when you see such an email (or, for that matter, an SMS, WhatsApp message, QR code or plain URL), in order to help protect the Organization. Thanks a lot!

⁽¹⁾ The EP Department with its many users was spared this time as rumours and warnings about the phishing campaign had already made the rounds via the usual communication channels and would have rendered the exercise less useful.

⁽²⁾ The "Dark Lord" email seemed too obvious and was not sent at all in the end.

________