Inside job?

Perhaps even more disturbing, the knowledge of the company's security systems could well mean that the attacker works at the company or knows someone who does or did.

F-Secure has seen 20 to 25 such attacks in two years, HyppA¶nen estimates. "It's not awfully common, but in those cases where it happens, it's a real nightmare. [Sometimes the breach] was discovered when the sysadmins looked at firewall logs and at where users were connecting and looked for anomalies," he says. "They might see that those two workstations in the R&D department are connecting to a server in mainline China where they shouldn't be connecting."

In other cases, since the exploit sometimes uses software rootkits, a user might start having PC problems. When IT then runs F-Secure's BlackLight or another rootkit detector for debugging and finds a problem, that in turn leads them to suspect the presence of malware.

Just who are these criminals, and what do they want with executives' data?

For many criminals, data theft is purely a numbers game. A valid credit card number can be sold for a certain amount of money. A wealthy executive's credit card, with driver's license number and Social Security number, might be worth 10 or 20 times that.

"A typical credit card number goes for 50 cents to $5, depending on the credit line and so on. If you want to buy an identity with Social Security number, that might be $10 to $150," says Symantec's Ramzan.

MessageLabs' Sargeant believes the bad guys are more likely members of organized cybercrime rings rather than corporate spies. "To get all this information, put it all together and use it, certainly this is organized crime in the purest sense of the term. My gut feeling is it's not corporate espionage per se; it's more information to be bought and sold and traded and accounts to be cracked," Sargeant says.

That's not to say corporate spying isn't one goal of such activities -- only that it's most likely instigated by a third-party rather than by a direct competitor, Sargeant says. "If you managed to get specific information on, say, Nikon, you might try to market it to some corporate rival -- you might say 'Canon could be interested.' But I don't see it starting within companies."

F-Secure's Hyppanen isn't so sure. He says the malefactors could be organized criminals, corporate spies or some combination of the two. Most of the attacks F-Secure has handled have been clustered in similar industries, and the target information has been more corporate than personal.

"We don't really know if this is outsourced or espionage. Most of the [affected] companies all work within the same industry area," Hyppanen says, though he declines to specify which industries in Europe have been affected. Some government organizations, including parliament personnel in some countries, have also been targeted, he adds.

Tracking the cybercriminals back to their digital lairs is difficult. They typically route harvested data through a series of "DNS bouncers," which send it from server to server across international borders to obfuscate the final destination.

"Initially, it looks like the information is going to China, so the first thought is, 'It must be the Chinese,' but it's not that easy. If you're about to do corporate espionage, it's probably a pretty smart thing to point people at China," Hyppanen notes.

The phenomenon of bad guys targeting top dogs inside the corporate firewall is growing for three reasons, observers say:

• Executives are reading their own e-mails and using their own PC applications rather than leaving those tasks to an administrative assistant.

• They're traveling more with itty-bitty (and less-secure) digital devices in tow.

• Like everyone else, they're exploring the power of social networks, inadvertently exposing details along the way that could make them targets of criminals.