Computer Security: Well fought, FP!
We are used to spam and phishing emails. But at the end of last year, a very special email struck one of our colleagues in the FP Department.
An accountant was gently asked in an email from “Rolf.Heuer@cern.ch” to prepare a financial transaction - in the strictest confidence. A phone call from the beneficiary to the accountant was made in an attempt to support this request. Despite being instructed not to talk to anyone, the e-mail, the phone conversation and the circumstances were all so suspicious that our colleague consulted his hierarchy, the internal audit service and us. Well done, FP Department! This is a rare case of an attempt at “social engineering”, i.e. luring someone into doing something detrimental to the Organization.
The e-mail was fake. While it appeared to come from “Rolf.Heuer@cern.ch”, it actually came from an alleged fraudster outside CERN. The e-mail and the phone call showed that he was well prepared and directly focused on this particular accountant. Besides the technical details for the transaction, this scam e-mail also contained every element needed to succeed: complimenting and trust-building (“Nous effectuons en ce moment une opération financière importante sur laquelle je travaille depuis quelques mois. Je vous ai choisi pour votre discrétion et travail irréprochable au sein de notre société car je ne veux aucunes fuites.”) and the requirement for strict confidentiality (“Cette OPA (offre public d'achat) doit rester strictement confidentielle, personne d'autre ne doit être informé pour le moment, y compris vos collègues.”, “Merci de ne faire aucune allusion en interne ou externe sur ce dossier, ni même par téléphone. Je suis en séance toute la journée, je vous le répète veuillez communiquer uniquement par courriel avec [FRAUDSTER] selon la procédure imposée par l'AMF (autorité des marchés financiers).”) But our colleague did not succumb! (“Michelin” seems to have not been so lucky).
So remember, the e-mail protocol does not provide any protections against fake sender addresses. Unless your sender digitally signs his or her emails, you can only tell from the overall package (sender, subject, message, circumstances) whether it is a legitimate e-mail or a scam. Note that you are the first line of defence in those respects. If you have any doubts, consult a colleague, your supervisor or Computer.Security@cern.ch. This particular case is a prime example of how professional vigilance works!
For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report.
Access the entire collection of Computer Security articles here.
by Stefan Lueders, Computer Security Team