Computer Security: “New_invoice.zip”

Thanks for reading this. But I wonder, what do you expect? Why did this generic title catch your interest? Of course, you might read our articles on a regular basis and it is the “Computer Security:” that brought you here. But still, was there anything else? You should stop reading here... unless you believe this text is meant for you. Or if you are curious. Or if you expect to learn something. Actually, that’s it. “New_invoice.zip” taught more than 40 people at CERN a lesson... the hard way.

 

“New_invoice.zip” was the name of an attachment to a rather blunt e-mail sent directly to many of our dear colleagues. Others received the e-mail via mailing lists like “it-dep”. The subject of the mail was “invoice” and its message read “Check the document” (see Image 1). The recipient list was vast and full of many different, not necessarily connected names. Clicking on the attachment “New_invoice.zip” revealed another file named “invoice_id25769.exe” (see Image 2) - a file that, if clicked on, infected your Windows computer.


Image 1.

Image 2.

Unusual? Unfortunately not. Sending and receiving invoices is common business in secretariats, in the procurement service, in the hostel and the CERN restaurants… But remember our repeated warnings about phishing e-mails with malicious content. This e-mail is a prime example. Still, more than 40 people clicked thrice in order to get at the juicy contents: first to open the mail, a second time in order to look at the attachment, and then to open (and execute) the “invoice_id25769.exe” programme. Game over: Windows PC infected. User password lost.

What could have prevented those people from clicking? First, many just opened the attachment out of curiosity: “It came from a colleague and I just wanted to know…”, even if it was unusual. Neither were the brevity of the message text and its rather common subject line a hindrance to continue. Nor was the fact that this “invoice” was addressed to dozens of people. Why should all of them have gotten the same invoice? Another red alert missed.

Finally, the “.zip” file contained an “.exe” file. Do you know what an “.exe” is? No? So, why open it? “.pdf”, “.doc”, “.xls”, “.ppt” or “.txt” will do, but never open “.exe”! “.exe” in an e-mail is a synonym for “infect my computer”. And so, this “invoice” created a nice learning opportunity for more than 40 colleagues (and counting!). Their 40+ accounts and their 40+ Windows (office) PCs were blocked after their mail client started spamming the world with similar messages. 40+ Windows PCs were subsequently reinstalled and 40+ new passwords were created. 40+ people got annoyed and lost precious working time. Just because curiosity beat vigilance…

So, be prudent and be aware:

  • If you aren't expecting such an e-mail, if it is none of your business - just ignore it;
  • Is the message text reasonable? Does it ring a bell? Does it apply to you? Is it in your native language or a language you usually communicate in? Are there typos or factual mistakes (“Rolf Heuer, CERN President”)?
  • Check the recipient list. Was this an e-mail for you or is the mix of recipients weird? Why should you all get the same e-mail?
  • Look at the attachments. “.zip” or “.exe” files are highly suspicious as they hide their real, malicious nature. And no, your anti-virus does not always protect you;
  • If you are in doubt, contact the sender and cross-check before opening the attachment. Or check with us at Computer.Security@cern.ch;
  • Be prepared. A malicious e-mail will infect your computer. Make sure that you have proper back-ups so you can easily re-install it from scratch at any time. Just like our poor colleagues were asked to do…

For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report


Access the entire collection of Computer Security articles here.

by Stefan Lueders, Computer Security Team