In designing such messages and deciding on recipients, criminals use not only relatively sophisticated software tools, but the reams of publicly available information about corporate executives.
The latter data comes from U.S. Securities and Exchange Commission documents and corporate Web sites and also from social networking sites, including LinkedIn, ZoomInfo, Facebook and even MySpace, where executives post information about themselves that can be seen by anyone who cares to look. Information about past jobs, college affiliations and major projects can all be used by social engineers to create messages that the recipients are likely to open.
"It is serious because they [send] an e-mail from outside but make it look like it's coming from inside the company, from someone who is in contact with the target. Maybe it's someone who works two floors up," Hyppönen says.
In such cases, the vehicle for the Trojan is a Word or Excel file containing the exploit. "It really is a document, but it's corrupted, and it will crash your version of Word and run the exploit."
F-Secure has seen cases where the exploit code is modified just enough to go undetected by the particular antivirus program the target company is running -- and the hackers have done the work of finding out just what those programs are. The lack of massive coding changes makes exploit code harder to detect.
Inside Job?
Perhaps even more disturbing, the knowledge of the company's security systems could well mean that the attacker works at the company or knows someone who does or did.
F-Secure has seen 20 to 25 such attacks in two years, Hyppönen estimates. "It's not awfully common, but in those cases where it happens, it's a real nightmare. [Sometimes the breach] was discovered when the sysadmins looked at firewall logs and at where users were connecting and looked for anomalies," he says. "They might see that those two workstations in the R&D department are connecting to a server in mainline China where they shouldn't be connecting."
In other cases, since the exploit sometimes uses software rootkits, a user might start having PC problems. When IT then runs F-Secure's BlackLight or another rootkit detector for debugging and finds a problem, that in turn leads them to suspect the presence of malware.
Just who are these criminals, and what do they want with executives' data?
For many criminals, data theft is purely a numbers game. A valid credit card number can be sold for a certain amount of money. A wealthy executive's credit card, with driver's license number and Social Security number, might be worth 10 or 20 times that.
"A typical credit card number goes for 50 cents to $5, depending on the credit line and so on. If you want to buy an identity with Social Security number, that might be $10 to $150," says Symantec's Ramzan.
MessageLabs' Sargeant believes the bad guys are more likely members of organized cybercrime rings rather than corporate spies. "To get all this information, put it all together and use it, certainly this is organized crime in the purest sense of the term. My gut feeling is it's not corporate espionage per se; it's more information to be bought and sold and traded and accounts to be cracked," Sargeant says.