IKEA has been caught in the middle of a destructive phishing campaign, where hackers are targeting employees in internal phishing attacks which make use of stolen reply-chain emails. A reply-chain email attack is when threat actors steal legitimate corporate email and then reply to them with links to malicious documents that install malware on recipients’ devices.
Because reply-chain emails are legitimate emails from a company, recipients’ are far more likely to trust the email sender, and be more likely to open any attached malicious documents. It is by far the most effective method of phishing.
Internal emails, seen by reporters at BleepingComputer, show that IKEA is warning employees of an ongoing reply-chain phishing cyber-attack targeting internal mailboxes. These emails are also being sent from other compromised IKEA organizations and business partners.
“There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA,” explained an internal email sent to IKEA employees.
“This means that the attack can come via email from someone that you work with, from any external organisation, and as a reply to an already ongoing conversations. It is therefore difficult to detect, for which we ask you to be extra cautious.”
The IT teams with IKEA warn employees that the phishing emails contain links with seven digits at the end and share an example email, as shown below. In addition, employees are told not to open the emails, regardless of who sent them and to report them to the IT department immediately.
Recipients are also told to tell the sender of the emails via Microsoft Teams chat to report the emails.
“Our email filters can identify some of the malicious emails and quarantine them. Due to that, the email could be a reply to an ongoing conversation, it’s easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine,” IKEA communicated to employees.
From the URLs which were redacted above, reporters have been able to identify the nature of the phishing attacks targeting IKEA.
Visiting these URLs, a browser will be redirected to a download called ‘charts.zip’ that contains a malicious Excel document. This attachment tells recipients to click the ‘Enable Content’ or ‘Enable Editing’ buttons to properly view it, as shown below.
When the buttons on the document are clicked, malicious macros will force a download of files named ‘besta.ocx,’ ‘bestb.ocx,’ and ‘bestc.ocx’ from a remote site and save them to the C:\Datop folder.
These OCX files are renamed DLLs and are executed using the regsvr32.exe command to install the malware payload.
Campaigns using this method have been seen installing the Qbot trojan (aka QakBot and Quakbot) and possibly Emotet.
The Qbot and Emotet trojans both lead to further network compromise and ultimately the deployment of ransomware on a breached network.
Due to the severity of these infections and the likely compromise of their Microsoft Exchange servers, IKEA is treating this security incident as a significant cyberattack that could potentially lead to a far more disruptive attack.
Protection Against Phishing
There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.