IKEA's email system under attack, report
Reply-chain attacks allow hackers to send malicious emails from genuine accounts
IKEA is undergoing a cyber attack that uses internal emails to deliver malicious links.
Documents seen by BleepingComputer over the weekend suggest the attack is ongoing and affects the furniture giant, as well as third-party suppliers and business partners.
"There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA," an internal email sent to IKEA employees said.
"This means that the attack can come via email from someone that you work with, from any external organisation, and as a reply to an already ongoing conversations. It is therefore difficult to detect, for which we ask you to be extra cautious."
The incident appears to be an email reply-chain attack. Such attacks begin with an email account being compromised and hijacked through phishing or password spraying. Alternatively, hackers may also compromise email servers such as Exchange Server to gain admin access.
The attackers are then able to monitor emails and look out for opportunities to send malicious links or malware disguised as legitimate documents. The attack is effective as the emails come from a trusted account, and because the attacker is able to monitor the email conversations they can easily craft convincing messages, greatly increasing the chance that the recipient will click on a link. Hackers also often set up an alternative inbox to receive replies, so that the owner of the compromised account remains unaware.
In the IKEA case, the download links had seven digits at the end, and employees have been asked to watch out for such links and avoid clicking on them or even opening suspicious emails, according to documents seen by BleepingComputer.
"Our email filters can identify some of the malicious emails and quarantine them. Due to that the email could be a reply to an ongoing conversation, it's easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine," IKEA's IT team told its employees.
In a statement sent to Computing, an IKEA spokesperson said: "We are aware of the situation regarding the phishing attack against parts of the IKEA organisation. Actions have been taken to prevent damage, and a full-scale investigation is ongoing to seal and solve the issue. We take the matter very seriously as safeguarding personal data is a primary concern for IKEA.
"It is of our highest priority that IKEA customers, co-workers and business partners feel certain that their data is secured and handled correctly. To ensure this, we use security technology to encrypt all personal information, including card numbers, addresses, and other information.
"We have no indication that customer data has been compromised."
This article was amended to add the above statement from IKEA.