Much of the damage allegedly inflicted by the Chinese military officers charged with economic espionage this week came via email scams.
But the strategy, as described in a federal indictment, was far more sophisticated than the common "Nigerian prince" email blast.
Instead of sending out thousands of generic scam messages, the Chinese hackers were allegedly "spearphishing." That's a twist on traditional email phishing, in which bad guys entice victims with official-looking mail from, say, a bank or an online retailer. Those attacks are usually crude and sent out in bulk. Spearphishing is tightly targeted toward an individual or specific corporate unit.
Although the ruse is not commonly known, sophisticated scammers willing to put in the time and effort to learn more about their target have used it for years.
Unlike the usual email scammers, the spearphisher "thrives on familiarity" and "knows your name, your email address and at least a little about you," according to a report by Norton, the malware prevention and removal service. "The salutation on the email message is likely to be personalized: 'Hi Bob' instead of 'Dear Sir.'"
Spearphishers often scan Facebook and other social media sites to glean details about users' friends to make messages look more legitimate. The emails might refer to a recent online purchase or a mutual friend, causing users to let down their guard and be more willing to click a link or provide user names, passwords or banking information.
In one instance highlighted in the indictment, a Chinese officer allegedly emailed roughly 20 U.S. Steel employees purporting to be their company's chief executive. The message included a link that installed malware that gave the alleged Chinese hackers backdoor access to the company's computers, just weeks before the release of a report on an important trade dispute. Several employees took the bait and clicked the link.
As spearphishing attacks increase, businesses are struggling to erect defenses. Adam Wosotowsky, a researcher at McAfee Labs, said it's not enough for employees to simply check that the email comes from an in-house address. Virtually everything visible in an email, he said, can be forged, including the sender's listed address.
What can't be forged, Wosotowsky said, is the IP address the email is coming from — so businesses can block all messages ostensibly from their company's email domains but not from authorized IP addresses.
Beyond that, "you have to make sure people have proper training to recognize it, especially if you realize you're being targeted, because they're going to try again and again," Wosotowsky said. "If the payoff is $10 million in intellectual property, that single guy can send one email a day, maybe five emails a day, for two years and he just needs one to go through for it to be worth it."
Among the red flags employees should be watching for is bad grammar and requests for user names and passwords. Specific types of attachments are also a concern, particularly files that end with .ser or .exe, which cause the computer to launch into a set of tasks.
Wosotowsky said spearphishing is still rare compared with traditional phishing, but appears to be growing in popularity as the money in traditional spamming dries up because of better protection against mass emails.
Jon Heimerl, a strategist for security services provider Solutionary, said he had one client, a company CEO, who bought a new BMW every three years. A hacker found out that the CEO was looking to buy and sent him an email purporting to be from a local BMW dealer, asking him to fill out a survey in exchange for a discount. Heimel said that after his client used his personal email account to comply, a virus opened on his work computer.
The virus then sent out an email from the CEO's work account to everyone in the company. The subject line, Heimerl said, was something about the company getting acquired, which prompted nearly everyone to open it.
"It pretty much shut them down for the better part of three days," he said.
The consequences of not being careful can be severe. The alleged scammers from China are accused of successfully hacking into the computers of U.S. companies involved in nuclear energy, steel manufacturing and solar energy.
One of the alleged Chinese spearphishers, according to the indictment, was able to steal host names and descriptions for more than 1,700 company servers, including those that controlled physical access to the company's facilities and mobile access to its networks.