An email hacking technique that has gained considerable repute, a reply-chain email attack has boosted chances of working because of the false sense of security that comes with an ongoing email thread. In simple words, a hacker spoofs an email address and replies to a valid email conversation. Of course, such emails are infected with malware or fraud links. But because of the “RE” in the email subject in addition with an apparently valid email ID, the victim is far less likely to proceed with caution.
Details of the Ikea email server attacks
These Ikea reply-chain attacks are occurring across Ikea locations and even with Ikea’s business partners. An internal warning email broadcasted to Ikea employees had the following to say: “There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA.”
A reply-chain attack makes it harder to detect phishing. Because all Ikea email servers were hit across the board, malware-riddled emails can come from peers, seniors, partners, or even external customer domains. They will come as replies to authentic email threads. No one wants to be the employee whose laziness stopped the ball from rolling. And so, the tendency is to reply as fast as possible, without a second thought spared for cybersecurity.
The phishing links sent to Ikea through reply-chains contained links that were appended with 7-digit garbled string. When clicked, they prodded the browser to download a protected, edit-disabled charts.zip file. When the victim opened this file and clicked Enable Editing, malicious macros are executed that download dangerous files named ‘besta.ocx,’ ‘bestb.ocx,’ and ‘bestc.ocx’ from a remote location and save them to the C:\Datop folder. These DLL files install the malicious payload on the victim’s machine, including malware like Qbot and even Emotet.
The malware then spreads infection across the network, and ultimately lock the victim out through a full-scale ransomware attack.
Mitigating the effects of the Ikea email server attacks
Ikea IT teams have sprung into action and established a don’t-open policy for all emails regardless of who supposedly sent it. They are also encouraging Ikea employees to report emails via MS Teams to the IT department so that the emails can be investigated in a quarantined state.
But what if the quarantine filters of Ikea email server security mechanisms misbehave / give false positives? Is there a chance that a truly dangerous email can pass through? To cope with this possibility, Ikea employees cannot release emails from quarantine until the attack is resolved.
“Our email filters can identify some of the malicious emails and quarantine them. Due to that the email could be a reply to an ongoing conversation, it’s easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine,” IKEA communicated to employees.
This is a commendable and quick response to cyber-attacks and Ikea will surely benefit from this stringent and prudent preventive action-plan.