Have you ever heard of “CEO fraud”? It is a social engineering method to extract money from a company, playing on several psychological techniques to make people stop thinking consciously:
- Fear, guilt and shame, i.e. making a threat to you or your family (“I know what you did last summer and will tell your family if you don’t…”). Under that pressure, you will just comply as your fear adverse consequences if you don’t;
- Flattery, i.e. luring your ego, pride or complacency (and narcissism?) into complying;
- Seniority and respect, i.e. blindly obeying because you are instructed by someone much more senior than you, you are just a little cog in the machine.
The CEO fraud plays the “seniority” card: “I am the CEO and you will do as I wish”. Full stop. And such a targeted CEO fraud attack has been run against CERN by abusing the name of our DG and spoofing her e-mail address(1). It all happened in the morning of October 19 when several people in the CERN hierarchy or with budget responsibilities received the following message:
Note that the “From:” address has been spoofed. The so-called header information(2) of that e-mail – something like the address on the envelope of a letter – indicates that the mail does not come from CERN (but from “XXXXpower.com”) and that all replies would go the e-mail address “boardpresXXXX@gmail.com”:
The trap has been set. The attacker just needs someone to reply… Bingo:
With bi-directional communication established, the attacker can now engage, using their social engineering powers, and try to convince the victim to comply with their wishes (once more, the “From:” address is fake, replies go to the aforementioned Gmail address):
Unlike in other similar cases, the attacker does not even play the “secrecy”-card and requests 100% confidentiality of this communication (i.e. “This is a highly confidential transaction and should remain between you and me”). Instead, the attacker explains why other alternatives (the treasurer) are not an option. Thanks to the power of the alleged DG, the scam works:
There we go:
Fortunately, this scam was spotted by other people having also received the initial e-mail. Some noticed – as you can too! – that when trying to reply to this fraudulent mail the new recipient is indeed NOT Fabiola:
So, the fact that they reported the scam e-mail to Computer.Security@cern.ch enabled CERN to:
- block similar e-mails from entering CERN mailboxes as well as blocking the attacker’s e-mail address;
- identify other people who had received the scam and warn them;
- ensure that the attacker’s IBAN was flagged and blocked from being used at CERN.
This is why vigilance and suspicion is helpful. Please don’t let yourself be impressed (or intimidated!) by seniority. By CEO power. By a strong voice. Similarly, please don’t let yourself be ashamed, harassed or intimidated by e-mails trying to create fear, guilt or shame. These are usually scams too. Instead, in particular in the event of any doubt, involve your hierarchy, the CERN Internal Audit Service or Computer.Security@cern.ch. They are here to support and help you! Your early notification helps protect CERN when other means fail. Better to ask than to be sorry…
(1) As detailed in another Bulletin article, there is no simple defence against e-mail address spoofing. E-mail sender addresses, like sender addresses on normal postal envelopes, can easily be faked…
(2) In Outlook, you can access this header information by opening the e-mail, clicking on the small arrow to the right of “Tags” and then looking at “Internet headers”. In Thunderbird, open the mail and go to “View > Headers > All”. Similarly for Apple Mail: “View > Message > All Headers”.
_____
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.