The wily hackers that executed a successful email phishing campaign against IKEA using internal and compromised partner reply-chain emails show that corporations, particularly retailers hit hard and scrambling to recover after the pandemic, must continue to shore up their defenses and educate employees.
“Well-orchestrated phishing campaigns like this one can be highly effective if the attacker is able to figure out a way to socially engineer employees with high efficacy,” said Hank Schless, senior manager, security solutions, Lookout. “In this case, the attackers were able to hijack email threads and reply to them from email addresses on the IKEA domain and domains of suppliers and partners.”
IKEA warned its employees of the ongoing, so-called reply chain attack, in emails viewed by Bleeping Computer, which broke the news.
“There is an ongoing cyberattack that is targeting Inter IKEA mailboxes. Other IKEA organizations, suppliers and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA,” the company wrote.
“This means that the attack can come via email from someone that you work with, from any external organization, and as a reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask you to be extra cautious,” IKEA said, noting that the company’s “email filters can identify some of the malicious emails and quarantine them.”
But because an email “could be a reply to an ongoing conversation, it’s easy to think that the email filter made a mistake and release the email from quarantine,” the company warned. “We are therefore until further notice disabling the possibility for everyone to release emails from quarantine.”
The attack distributes Emotet or Qbot trojans. “The attackers took advantage of Black Friday to increase their likelihood of success. Teams are already under immense pressure just to keep the IKEA sites up and running during high-volume shopping times,” said Schless. “This creates a perfect storm of opportunity for attackers to insert a seemingly urgent email in hopes that employees will overlook the telltale signs of malicious intent.”
Because they use “both the trustworthiness of the sender and an ongoing conversation to make their victims feel more at ease in interacting with messages and clicking links,” they are “much more effective,” said John Bambenek, principal threat hunter at Netenrich. “In this case, it looks like the attack was tied to banking trojans but it is a technique that can be used by the entire landscape of threat actors, including APT. Phishing provides the surest path to the internal part of an organization’s network, which is why it is so popularly used.”
While the motive behind the attack is difficult to pinpoint, “considering these emails were sent with the intention of having the targets click the links, the goal was likely credential compromise,” said Schless. “In these situations, we usually see the actor send the target to a very legitimate-looking login page for their organization or one of the SaaS platforms they use, such as Google Drive. When the targeted employee enters their credentials in the malicious page, their account becomes compromised. The attacker can use those credentials to log into the infrastructure, move laterally until they find valuable data, then either exfiltrate that data or encrypt it for a ransomware attack.”
Schless explained that it is “common for an attacker to start with account compromise via phishing, then move over to the broader cloud infrastructure where they have free reign to access sensitive corporate data.”
YouAttest CEO Garret Grajek called the campaign used on IKEA “another example of the constant scanning and probing of our enterprises,” warning that “every vulnerability will be explored and exploited.”
Hackers “love” email and social hacks “because they don’t take an investment in research and development of zero-day hacks,” Grajek said. “The result is the same, though—the hackers will attempt lateral movement, privilege escalation and persistence in the enterprise.”
While “the attack seen at IKEA is becoming increasingly common in large businesses,” there are “many opportunities to be prevented—more so than a normal phish—due to the nature of requiring a compromised email account,” said Miclain Keffeler, application security consultant at nVisium. “For example, most enterprise emails today require two-factor authentication. If an email account is compromised—not by a vulnerability in an email server or other attack vector—then a second factor, usually a text message, would have to be completed.”
But for companies that “use push apps or phone calls, these are often erroneously approved without thinking about whether the user truly logged in,” he said. “Some users simply approve it without thinking; therefore appealing to our weakest security link: Humans.”
Once that control is circumvented, defense lies with the email recipients. “In our increasingly remote worlds, people are less inclined to actually interact face-to-face or call a person to confirm what they are saying via email,” said Keffeler. “Some organizations with email phishing solutions can still catch this, but more often than not, those solutions are not enabled for internal email. This is because most companies are focused on protecting the edge of their network or cannot enable this internally because they could possibly break business workflows.”
No business is outside the reach of cyberattackers. “Whether it’s for the purpose of ransomware, business disruption, or simply for spite, even seemingly innocuous companies are facing harm,” said Saryu Nayyar, CEO at Gurucul. “And this attack is particularly insidious, in that it seemingly continues a pattern of normal use.”
To protect themselves, “enterprises have to continue educating their computer users, as well as using machine learning models and analytics to detect anything out of the ordinary,” she said.
Schless advises organizations to “protect the entire data path from the user and devices they use, up to the apps and data they access.”