As first reported by Bleeping Computer, IKEA is suffering from internal phishing attacks targeting employees. Bleeping Computer was able to obtain an internal email sent to employees that details the situation as follows:
“There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA.
This means that the attack can come via email from someone that you work with, from any external organisation, and as a reply to an already ongoing conversations. It is therefore difficult to detect, for which we ask you to be extra cautious.”
Ikea went on to say this as well:
“Our email filters can identify some of the malicious emails and quarantine them. Due to that the email could be a reply to an ongoing conversation, it’s easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine.”
According to Lawrence Abrams, author of the Bleeping Computer report, the phishing emails are specifically stolen reply-chain emails. As explained by SentinelOne, email reply-chain attacks are initiated by a threat actor taking control of a legitimate account belonging to an employee. What then occurs is a “chain” of emails started by sending malicious links that, when opened, begin infecting each recipient that falls for the scheme. It is easy to fall for as it is an internal account from another employee, which makes this type of attack so dangerous.
The IKEA IT security teams handling the incident are warning employees that the reply-chain emails have specific markers. These identifiers are specifically related to the malicious links themselves, namely the fact that they always contain seven digits at the end.
IKEA has not responded to any requests from the media for comment.
Featured image: Flickr/