Today, in the digital and online world in which we move, the data of you, me and in general of all users regardless of condition, class or job, are worth more than gold. For this reason, there are those who live exclusively by trading with databases stolen from hundreds, thousands or millions of clients of a platform, service or company.
And if we talk about a giant like Ikea, we will talk about a gigantic database.
Cyber attacks against Ikea on the rise
According to the BleepingComputer site, IKEA “You are fighting cyberattacks that target employees in internal phishing attacks using stolen reply chain emails “. A reply string email attack is when a cybercriminal steals legitimate corporate emails and then responds to them with links to malicious documents that install malware on target devices.
As these emails in the reply chain are legitimate company emails and are often sent from compromised email accounts and internal servers, recipients trust email and are more likely to open malicious documents. In internal emails seen by BleepingComputer, IKEA warns employees of a chain response cyber attack targeting internal mailboxes. These emails are also being sent from other committed IKEA organizations and business partners.
Objective: The Ikea customer database
“There is an ongoing cyber attack targeting Inter IKEA mailboxes. Other IKEA organizations, suppliers and business partners are compromised by the same attack and are spreading malicious emails to people at Inter IKEA “, explains an internal email sent to IKEA employees and viewed by BleepingComputer.
“This means that the attack can come through the email of someone you work with, from any external organization, and in response to a conversation already in progress. Therefore, it is difficult to detect, so we ask you to Take extreme precautions ”.
IKEA teams are warning employees that these response chain emails contain links with seven digits at the end. Additionally, employees are told not to open emails, regardless of who sent them, and to report them immediately to the IT department. Weapons used by hackers have recently started “to compromise internal Microsoft Exchange servers using the ProxyShell and ProxyLogin vulnerabilities to carry out phishing attacks ”.
There is also a concern that recipients may release malicious phishing emails from quarantine, thinking they were caught in the filters by mistake. Because of this, they are disabling the ability for employees to release emails until the attack is resolved.
Emotet to attack
From the URLs shared in the phishing email written above, BleepingComputer has been able to identify the attack targeting IKEA:
- Once those buttons are clicked, malicious macros run which download files named ‘besta.ocx’, ‘bestb.ocx’ and ‘bestc.ocx’ from a remote site and save them in the C: Datop folder.
- These OCX files are renamed as DLL and are run using the regsvr32.exe command to install the malware payload.
Campaigns using this method have been seen to install the Qbot Trojan (also known as QakBot and Quakbot) and possibly Emotet, based on a VirusTotal submission found by BleepingComputer. The Qbot and Emotet Trojans lead to increased network compromise and ultimately the deployment of ransomware on a breached network.
No, your data has not been stolen
Today, the Swedish company has denied Europa Press that there has been an attack. What has happened is that “an increase in staff phishing attempts has been detected and several external organizations outside the Ingka Group have been identified as sources of these fraudulent emails“, they have explained from Ingka Group, the franchisee of Ikea and owner of most of its stores, in a statement.
Faced with these attempts, workers have been internally alerted to be alert and take the necessary precautions. In addition to this, the company assures that “measures have been taken to avoid any impact on Ikea customers, employees and business partners “, and that “nor there are indications that personal data is at risk or has been compromised. “