IKEA under attack of internal phishing campaign

Recently IKEA, a Swedish-origin Dutch-headquartered multinational conglomerate, reported the waves of an internal phishing campaign. Threat actors used internal compromised servers to send company’s employees emails with malicious attachments. Cyber security specialists say similar techniques hackers used in recent campaigns of spreading Emotet and Qakbot trojans. The whole complexity of the situation alludes that there may be possible cyber security threats to the company. Although no further details were provided.

Threat actors attacked IKEA with an internal phishing campaign

Usually in conducting attacks like this, threat actors would compromise internal Microsoft Exchange servers using ProxyLogin and ProxyShell vulnerabilities. As soon as they gain access to the server they begin to perform reply-chain attacks against employees with stolen corporate emails. Being sent as reply-chains emails from the company they certainly give off a feeling of legitimacy.

“This means that the attack can come via email from someone that you work with, from any external organisation, and as a reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask you to be extra cautious,” goes in an internal email sent to IKEA employees.

As the IT specialists of IKEA say, the warning signs to look for if the email is malicious are seven digits at the end of any attachment. Company also told employees not to open any emails sent to them and straightaway report them to the IT department. As a precautionary measure as well, the company’s management in regard to their concerns restricted the ability of employees to retrieve emails that may end up in the employees` quarantine boxes.

IKEA under attack of internal phishing campaign
IKEA phishing emails contained malicious attachment

The malicious emails contained URLs that would redirect the browser to a download titled “charts.zip” which had an Excel document. Potential recipients of such emails were prompted to click the enable buttons to view the attachment. Of course such actions immediately activated the malicious macros. They in turn download files titled ‘besta.ocx,’ ‘bestb.ocx,’ and ‘bestc.ocx’ from a remote site and save them to the C:\Datop folder. Now renamed DLLs files begin the execution process with regsvr32.exe command to install the malware payload.

How to know if I received a phishing email?

You can say phishers these days are fierce and those “You won 1 million please respond to this email” phishers desperately trying to keep up with the times ( Tell me who are those people who respond to them, though). Nowadays threat actors apply more cunning ways to trick you into providing your information.

Now as I write this I think back to that woman call from allegedly some bank and still wonder if that was a phisher. But back on track: the best solution to a problem is to prevent it. Know the next proven tips for phishing email detection:

  • Mismatched email domains. Even if you received an email that claims to be sent from Microsoft as an example, carefully look for the domain name if they match. It can be so that the email itself was sent from Micnosft.com, the sure sign of scam;
  • Unexpected attachments or suspicious links. If the suspicion is that the email might be a scam don`t click on any attachments or links. You can check the real redirect address by just pointing the mouse on the link and it should appear after;
  • Especially be careful of any links and attachments

  • Generic greetings. It must be weird to receive an email from the company you previously had contact with a bleak greeting like “Dear Sir or Madam”. Don`t need to mention that an email from a completely unknown company might hint at hundred percent of something scamish;
  • Spelling and bad grammar. If an email has obvious grammar or spelling mistakes then it might be another scam. Sometimes phishers deliberately do so to avoid detection or it could be an awkward translation from another language. In any case professional companies often have editors to ensure the quality of their correspondence, so that one email you received with “Hilo yu” can be moved to junk;
  • Some urgent calls of threat or action. An email filled with repeated calls of urgency should alert you especially if there are no evident explanations for that. Instead it is just threat, threat and here the magic solution: simply do this. Keep your anxiety level low and one more time carefully read the email and check everything about it.
  • About Andrew Nail

    Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.

    Check Also

    Top 10 the most popular scammings of 2021

    Top 10 the most popular phishing scamming of 2021

    The analytics from Positive Technologies recently published a report where they discussed the most common …

    Let the Facebook Pixel Hunt begin

    Let the Facebook Pixel Hunt begin

    Mozilla, a browser maker, recently announced its collaboration with a non-profit newsroom Markup. The collective …

    Leave a Reply