Computer Security: When CERN.CH is not CERN…

We recently received an e-mail from a colleague who was astonished to learn that an e-mail that appears to be sent from “CERN.CH” does not necessarily really come from someone at CERN… Indeed, everything is not always what it seems. Therefore, let us explain to you when CERN.CH is CERN and when it isn’t.

For e-mail, the sender address can be anything. Just like on the envelope of a normal hand-written letter, any sender address can be specified. “CERN.CH” can easily be spoofed so that an e-mail looks like it comes from someone at CERN, but actually doesn’t1. The ancient e-mail protocol cannot do better and any technical means to improve on this break other functions when sending e-mails (like posting to mailing lists…) – see our Bulletin article “E-mail is broken and there is nothing we can do“. There is no good protection apart from CERN’s SPAM filters. Once an e-mail has passed those filters, the second line of defence is you… So, just hold on a second and think about whether each e-mail is really intended for you. See our recommendations on how to identify malicious e-mails on the Computer Security Team’s homepage. If you’re really in doubt, just ask us to check by e-mailing [email protected]

And since we are already on the subject: no, similar domains with different endings (so-called top-level domains like .CH) are definitely not CERN’s! For example, browsing to CERN.CA gives you “…a non-profit organisation in Canada striving to promote the Francophone culture throughout the country”. CERN.BE points to a neuropsychologist. And CERN.SK is the webpage of a Slovak central register for work-related accidents… Moreover, there are also many other domains that look like CERN’s but aren’t: CERM.CH, CERN.ORG, CERN.CG, XERN.CH, CEM.CH (this one is more difficult to detect in lowercase as “cem.ch” – “r” and “n” look quite like “m”, don’t they?). These are usually called typo-squatting or Doppelgänger domains, i.e. domains whose name is just one character away from CERN’s. Attackers love them as they can be used to trick us into clicking on the wrong link: “cem.ch”, anyone?

For your protection, since adversaries might try to use them for their malicious deeds, we have blocked a series of these typo-squatting domains within CERN’s domain name servers. That means that you should be redirected to a warning page instead of arriving at the adversary’s malicious one. However, this only protects you when browsing to those domains from within CERN. For a more holistic approach, we also tried to buy some of these domains in order to prevent any abuse, but didn’t succeed in all cases…

Therefore, once more, we have to count on you: security is not complete without you! Be vigilant!!! CERN is CERN.CH and dotCERN. Any other domain does not belong to the Organization2 and should be accessed with care. The best thing is just to ignore these domains and go somewhere else. Or ping us at [email protected] and we will check for you whether or not a domain is benign.

1For the technically-minded among you: checking the so-called header information does reveal the real origin of an e-mail unless this has also been heavily tampered with. If that information points to the CERN e-mail servers, it is most likely that the mail has been sent from a real CERN e-mail address. Still, there is no guarantee that the sender is the person behind the name in that e-mail address. His or her account might have been compromised. But that’s another story.

2For the pettifoggers among you: CERN does indeed own a series of other domains: e.g. CERN.EU, CERN.JOBS and CERN.ORG, but also CIXP.CH, INDICO.GLOBAL, OHWR.COM, REANA.IO, ZENODO.COM. But mentioning all of those would double the length of this article…

_________

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report

/Public Release. View in full here.