The Washington Post

China hack of Chamber of Commerce highlights ‘spear-phishing’ dangers

Hackers from China have reportedly been able to break into the systems at the U.S. Chamber of Commerce, stealing an unspecified amount of data and possibly gaining undetected access to the network for over a year. The Wall Street Journal reported that the hackers used “spear-phishing” — highly personalized e-mails that entice users to click on a link or open a file — to gain access to the Chamber of Commerce’s network.

More advanced spear-phishing attacks have been on the rise in the past year, in part because it’s so much easier for hackers to customize enticing messages based on data pulled from social networks.

Rohyt Belani, chief executive and co-founder of the spam education company PhishMe, said hackers used to focus their messages on high-level managers and officials with more network privileges. As spear-phishing has become more sophisticated, however, hackers have been able to convince more people to grant them access to the network by clicking a link or opening an attachment.

“When we talk to folks today, we want to say, ‘Don’t just focus awareness efforts on high-level targets; it has to be a wider net.’ ”

Scott Greaux, product manager for PhishMe, said scammers can now send messages that “look like something you expected to receive.” These messages will often include correct references asking you to take an action such as visiting a site that will attempt to install malicious software or downloading an attachment.

Technology designed to detect these kinds of attacks can go only so far, Belani said.

“The focus in the security industry has typically been ‘What shiny box can I throw this in?’ ” he said. “It’s great if you can catch this advanced malware but better if we can reduce the probability of it getting through. If you can get your human sensors activated, you can thwart this kind of thing.”

Attacks such as this don’t have to come from particularly skilled or advanced hackers, Greaux said, because the attacks aren’t necessarily exploiting a technology problem.

“It doesn’t have to be sophisticated anymore. Social media . . . makes for a rich starting point,” he said. “They can make it very personal to me as an end-user. . . . Organizations should talk about this more openly and start a more candid conversation.”

Related stories:

China hackers hit U.S. Chamber of Commerce

Holidays call for extra security vigilance

China-based hacking offers evidence of global cyberwar

Hayley Tsukayama covers consumer technology for The Washington Post.
Show Comments

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.