The National  Memo Logo

Smart. Sharp. Funny. Fearless.

Monday, December 09, 2019 {{ new Date().getDay() }}

By Robert Faturechi, Los Angeles Times

Much of the damage allegedly inflicted by the Chinese military officers charged with economic espionage this week came via email scams.

But the strategy, as described in a federal indictment, was far more sophisticated than the common “Nigerian prince” email blast.

Instead of sending out thousands of generic scam messages, the Chinese hackers were allegedly “spearphishing.” That’s a twist on traditional email phishing, in which bad guys entice victims with official-looking mail from, say, a bank or an online retailer. Those attacks are usually crude and sent out in bulk. Spearphishing is tightly targeted toward an individual or specific corporate unit.

Although the ruse is not commonly known, sophisticated scammers willing to put in the time and effort to learn more about their target have used it for years.

Unlike the usual email scammers, the spearphisher “thrives on familiarity” and “knows your name, your email address and at least a little about you,” according to a report by Norton, the malware prevention and removal service. “The salutation on the email message is likely to be personalized: ‘Hi Bob’ instead of ‘Dear Sir.'”

Spearphishers often scan Facebook and other social media sites to glean details about users’ friends to make messages look more legitimate. The emails might refer to a recent online purchase or a mutual friend, causing users to let down their guard and be more willing to click a link or provide user names, passwords or banking information.

In one instance highlighted in the indictment, a Chinese officer allegedly emailed roughly 20 U.S. Steel employees purporting to be their company’s chief executive. The message included a link that installed malware that gave the alleged Chinese hackers backdoor access to the company’s computers, just weeks before the release of a report on an important trade dispute. Several employees took the bait and clicked the link.

As spearphishing attacks increase, businesses are struggling to erect defenses. Adam Wosotowsky, a researcher at McAfee Labs, said it’s not enough for employees to simply check that the email comes from an in-house address. Virtually everything visible in an email, he said, can be forged, including the sender’s listed address.

What can’t be forged, Wosotowsky said, is the IP address the email is coming from — so businesses can block all messages ostensibly from their company’s email domains but not from authorized IP addresses.

Beyond that, “you have to make sure people have proper training to recognize it, especially if you realize you’re being targeted, because they’re going to try again and again,” Wosotowsky said. “If the payoff is $10 million in intellectual property, that single guy can send one email a day, maybe five emails a day, for two years and he just needs one to go through for it to be worth it.”

Among the red flags employees should be watching for is bad grammar and requests for user names and passwords. Specific types of attachments are also a concern, particularly files that end with .ser or .exe, which cause the computer to launch into a set of tasks.

Wosotowsky said spearphishing is still rare compared with traditional phishing, but appears to be growing in popularity as the money in traditional spamming dries up because of better protection against mass emails.

Jon Heimerl, a strategist for security services provider Solutionary, said he had one client, a company CEO, who bought a new BMW every three years. A hacker found out that the CEO was looking to buy and sent him an email purporting to be from a local BMW dealer, asking him to fill out a survey in exchange for a discount. Heimel said that after his client used his personal email account to comply, a virus opened on his work computer.

The virus then sent out an email from the CEO’s work account to everyone in the company. The subject line, Heimerl said, was something about the company getting acquired, which prompted nearly everyone to open it.

“It pretty much shut them down for the better part of three days,” he said.

The consequences of not being careful can be severe. The alleged scammers from China are accused of successfully hacking into the computers of U.S. companies involved in nuclear energy, steel manufacturing and solar energy.

One of the alleged Chinese spearphishers, according to the indictment, was able to steal host names and descriptions for more than 1,700 company servers, including those that controlled physical access to the company’s facilities and mobile access to its networks.

Photo: Akasped via Flickr


Start your day with National Memo Newsletter

Know first.

The opinions that matter. Delivered to your inbox every morning

J.R. Majewski

Youtube Screenshot

A Republican House candidate for a competitive seat in northwest Ohio said Monday that mass shootings are an acceptable price to pay for his right to own guns.

"I don't care if countries in Europe have less shootings because they don't have guns. I care about THE UNITED STATES OF AMERICA and OUR 2nd Amendment Rights," Republican J.R. Majewski tweeted Monday evening. "I think Americans stopped caring what Europe thought of our country in 1776."

Keep reading... Show less

Rupert Murdoch

Youtube Screenshot

A judge ruling in favor of a billion-dollar defamation lawsuit moving forward signals the possibility of looming financial woes for Rupert Murdoch's Fox News. According to The Guardian, Delaware Supreme Court Judge Eric David in June ruled that Dominion Voting Systems could proceed with its defamation lawsuit against Fox News and its parent company, Fox Corporation.

The lawsuit is a legal pushback against Fox News' reporting and perpetuation of voter fraud and election misinformation following the 2020 presidential election.

Keep reading... Show less
{{ }}