Computer Security: Click and infect

Do you recall last year’s e-mails from our dear colleagues S. Abelona, R. Brant, F. Campesi, A. Daren-port-Smid and M. Dutoit, who each shared an attached file with you? Except they aren’t actual colleagues. They’re all fake. As were their e-mails and their attachments. They were just intended to tempt you to open the attached Word document or PDF in order to have your computer infected…

Indeed, this is a standard pattern of attacks against the Organization. Attackers sending fake e-mails, ideally with content very close to the operations of CERN or very close to professional or personal aspects of your life, and sufficiently real that you believe them and open the attachment. This time the subjects were “your contract amendment request”, “new IT security measures”, the “pension fund balance situation”, “your input to [their] results”, and “the confidential design report”. The more targeted these malicious e-mails are, the more likely it is that you believe they are genuine and click. The more sophisticated the attack, the more probable that your computer, PC or laptop gets compromised. With one click, your Windows system, your Macbook or your Linux installation can be gone. Infected. Compromised. Owned by the malicious evil-doers abusing your computing resources, stealing your passwords (e.g. for CERN or for Internet banking), encrypting your documents (in order to blackmail you), sharing your photos and videos (“cyber-mobbing”), or exposing your local webcam images and microphone recordings (“I know what you did last summer”).

The CERN e-mail service and the CERN Computer Security Team are doing their best to protect you. Beside the “standard” SPAM filtering, they run a dedicated e-mail appliance checking every single attachment entering the Organization and probing it to see whether it contains malware*. This is a cat-and-mouse game and, while the detection rate is very high, not all malicious e-mails can be caught, as attackers obviously try to evade our detection capabilities. This is where you come in, hopefully running an up-to-date operating system. This is easy nowadays as they should all update themselves automagically. And hopefully having deployed a good anti-virus solution. They don’t cost a fortune and provide a basic second layer of defence. And using an alternative to Adobe Reader, as a lot of malware tries to exploit weaknesses in it. And being vigilant and alert. Some e-mails really are too-good-to-be-true. Sometimes it is better to STOP – THINK – DON’T CLICK. Instead, forward anything suspicious to for additional checks.

Fortunately, this time, these particular e-mails were all fake, as they were part of our annual clicking campaign. Out of about 22 000 e-mails sent by us, around 30% were confirmed as having been opened by an e-mail client. In about 20% of cases, the user made all efforts to also open the attachment and thus ultimately put their computer at risk… Thanks to approval by the Data Privacy Office, we were even able to correlate the clicking rates with anonymised personal data. However, comparing the clicking rates for different age brackets did not reveal significant differences. Also, within statistical errors, the clicking rates of female and male colleagues were the same. When comparing different employment types, i.e. physicists vs. engineers vs. technical staff vs. administrative staff, the variations were also within statistical errors. It seems that the clicking rate just depends on the curiosity of our human nature**! Finally, checking the timing, people were quick in reacting. Less than 10 minutes into our campaign, we received the first tickets notifying us that CERN was under (false) attack. That would have been the moment where we would have deployed additional protective measures (e.g. blocking the malware’s access the Internet in order to download its malicious content). After about half an hour, that wave of attack would have been contained. But don’t count on that. Not every e-mail is part of our annual clicking campaign.

* In technical terms, the appliance is spawning virtual machines of different operating system flavours and e-mail clients, simulating user activity in opening the potentially malicious e-mail and its attachment, and monitoring whether this attachment “detonates”, i.e. starts modifying local system settings or making Internet connections (“call-backs” requesting the real malware).

**For more details, check out this Bachelor thesis by T. Betz entitled “Comparing and Analysing the CERN E-mail Security Awareness Campaigns”.


/Public Release. The material in this public release comes from the originating organization and may be of a point-in-time nature, edited for clarity, style and length. View in full here.