“Social engineering” is the art of manipulating you to perform actions you would not normally perform. Like transferring money to someone you don’t know (“LOGISTICS SUPPORT REQUEST”). Disclosing sensitive information (“I have problems displaying that doc”). Opening doors to an unknown third party (“I forgot my access card”). Or handing out your CERN password, e.g. during our annual clicking campaigns (“Action Required – Warning!!”) intended to raise security awareness.
In order to achieve their goals, attackers try to forge a close connection with you. “Greetings to you and your family. How are you doing?” is still a very basic try, but given the information that can be found online about you, your family and social circle, your work and your hobbies, social engineers might delve much, much deeper. Just think of the information available about you on Facebook, Instagram, LinkedIn and CERN’s many webpages (“The symbiosis of your life”). How easily can your life be reconstructed from that information? (Here and here are two nice videos about this topic.) How much “juicy” stuff is out there to allow them to connect with you, build up a trust relationship and lure you into actions you wouldn’t normally perform for a stranger? This social engineering is a long process, but an attacker is ready to go the distance if the outcome – i.e. you disclosing sensitive information, handing over your password or transferring money – is worth it. Think about your role in this Organization: there is definitely something worth attacking you for. Access to accelerator controls to conduct sabotage if you work in the accelerator sector; access to money or personal information if you work in finance and administration; or access to computing services, data and databases if you are an IT administrator.
Below is an attempt to connect with some of our colleagues, in this case using WhatsApp:
It wouldn’t be the first time that the Director-General’s authority has been abused for social engineering purposes. And it won’t be the last. Here, we can’t tell how that conversation would have continued, but usually it leads to a demand for a money transfer (“CEO fraud”).
So, be vigilant if you are contacted by people you don’t know or receive requests that are unusual, from unsolicited contacts. Be careful if you are asked to perform tasks you usually only perform in the execution of your job but never on direct request. “STOP ─ THINK – DON’T CLICK” when you get a link in an email, text message, WhatsApp message or through a QR code. And, maybe, rethink the plethora of information you voluntarily make public via your social channels – check your privacy and publication settings! − or on CERN webpages. Maybe a bit less information would do your privacy good and protect you a bit more from social engineering?
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.