In one case in 2012, an email appeared to have come from organizers of the Boao Forum, a China-run meeting modeled after Switzerland's World Economic Forum. The English text, grammatically perfect, was copied and pasted from legitimate emails sent by Ogilvy, the international PR firm. It made for a much more convincing phishing attempt from the days when we would receive one-liners that read: "China's environmental topic. The latest news."
Mandiant's report observes the same developing sophistication: "They begin with aggressive spear phishing, proceed to deploy custom digital weapons, and end by exporting compressed bundles of files to China -- before beginning the cycle again. They employ good English -- with acceptable slang -- in their socially engineered emails."
Opening the Boao attachment would have shown a sign-up sheet for journalists interested in attending the event. The actual payload would take place in the background, installing a rare "Trojan" that would send information stolen from the computer to a server located in Chongqing, China. The recipient would have never known he or she had been compromised.
Some phishing emails were bespoke. To my knowledge, I was the only recipient in August 2011 of an email that took advantage of the CVE-2010-3333 vulnerability, a flaw in Microsoft Word's codebase. The message, in Chinese, concerned a July 2011 high-speed rail crash in the city of Wenzhou, a story I had covered and complemented with prolific live-tweeting. The message discussed comments from press freedom organization Reporters Without Borders concerning media access to the crash site. The hackers would have had to know I understood Chinese and would have put in some time to research recent stories I'd worked on. A few other journalists received custom phishing attempts during this period, each email message different but all taking advantage of the same exploit.
Mandiant's report underscores how difficult it is these days to spot a hacker. "The subject line and the text in the email body are usually relevant to the recipient. APT1 also creates webmail accounts using real peoples' names -- names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel -- and uses these accounts to send the emails."
The irony in this brave new world of the digital frontier is that we need to return to old technologies. If you want to check an attachment's safety, pick up the phone and call the sender. Even writing back with email might not work. Mandiant describes how in one instance, the hacker responded to a query by confirming the attachment ("It's legit," the email read). Email back … and you may well start chatting with the very person who is trying to deceive you.