Over the weekend, news broke about an insidious phishing campaign that is hitting the giant Ikea. It was the news the BleepingComputer site, which was able to view an email sent by the company to employees to inform them of the attack in progress.
But for what reason this attack worries the experts? Ikea employees have been targeted by a phishing campaign that uses an extremely insidious technique known as Stolen internal reply-chain emails. In this technique the attackers manage to compromise the mail servers of the targeted organizations and once inside they send phishing emails to employees. Phishing messages are sent in response to a previous email sent by employees to their colleagues. It is understood that detecting these attacks is really complex, as the phishing e-mail comes from a colleague or from an entity with which we speak and is an e-mail in response to a message actually sent.
The methodology in use was recently documented by the security firm Trend Micro, whose experts have identified campaigns aimed at compromising Microsoft Exchange mail servers, yielding known and tracked vulnerabilities such as ProxyShell and ProxyLogon.
This technique allows you to circumvent the main controls implemented by many companies, and access to mail servers could allow attackers to also affect customers and business partners: “In internal emails displayed by BleepingComputer, Ikea warns employees of an ongoing response chain phishing attack targeting internal email accounts”, we read on BleepingComputer.
Still: “There is an ongoing cyber attack targeting Ikea emails. Other Ikea organizations, suppliers and business partners are exposed to the same attack and are further spreading malicious emails to people in Ikea – can be read in the emails sent by Ikea to employees – This means that the attack can come via email from someone you work with, from any outside organization, and as a response to conversations already in progress. It is therefore difficult to detect, so we ask you to be more cautious ”.
The message alerts employees and explains that fraudulent messages are difficult to distinguish because they have an internal source. The links contained in phishing messages end with 7 digits, and clicking on them starts an infection process.
Ikea also shared with employees an example of a fraudulent email used in the recent attacks, inviting them to promptly report any suspicious messages and contact the sender on a different channel (chat or phone) to notify him of the compromise of his account.
These messages may have been quarantined by the defense systems, for this reason employees have been prevented from restoring them to prevent them from getting the mistaken belief that the message was blocked by mistake.
What is the purpose of the attack on Ikea? By analyzing the links contained in the emails that targeted the employees it was possible to verify that they were pointing to an archive called Charts.zip containing an Excel document. Once the document is opened and the included macros are enabled, the infection process is started using the Qbot Trojan. Malware such as Qbot are used by criminal gangs to access victims’ networks and distribute different families of ransomware.
We can therefore assume that the ultimate goal of the attack was the installation of a ransomware within the Ikea network: “The attack on Ikea, according to the information available at the moment, can also have consequences in the medium and long term – has explained Marco Govoni, Ict & security consultant – It seems that some email accounts have been compromised and from these the internal phishing activity started. The fact that cybercriminals then managed to steal the identities of some employees of the Swedish giant allowed them to send emails that may have been deemed legitimate by the recipients. How to open the doors of your own home to a criminal, disguised and disguised as our best friend “. Still: “The aspect that worries the most are the contacts that, presumably, there have been with suppliers and partners. It can become a classic supply chain attack scheme, but on a scale that cannot be defined at the moment ”.
The attack must alert organizations, because the method described is difficult to identify and for avoid compromising company infrastructures all systems must be up to date.
.