Skip to main content

Companies warned of Trojan loop hole in wake of IKEA spam fiasco

Security Firm Tier-3 has warned companies to review their IT security arrangements, following a potentially serious spam incident that affected the email servers of Scandinavian furniture giant IKEA.

"Newswire reports suggest that IKEA has just closed a serious security flaw that allowed hackers and phishers full-on access to the resources of its email servers, allowing them to send bulk outbound mail from the furniture giant's systems," said Geoff Sweeney, Tier-3's CTO.

The really troubling side of this security breach is that provides sophisticated hackers an opportunity to use it as a launch pad to send specially targeted emails containing zero day Trojans or Rootkits.

The emails could then pass through almost all email and anti spam security technology that relies on white and black listing as a method to filter spam as they would come from an actual IKEA domain.

The behaviour of these emails coming through to an organisation could be detected by behavioural analysis security software which prevents both known and unknown threats.

The sinister side of this type of attack is that they are targeted at specific people in an organisation and when they appear from a trusted source and combine the latest Antivirus evasion techniques there is a chance that a organisation’s entire set of security defences will be beaten. According to Sweeney, “IKEA's problems were caused because the contact template on the firm's home page was inadequately secured, allowing hackers with criminal intentions to insert alternative e-mail addresses in a contact form. This basically allowed anyone with a little technical knowledge to generate millions of phishing and/or spam messages from IKEA's mail servers using a simple script. The potential damage to the company's reputation and possibility of email blacklisting could be significant."

"This is a classic case of where, with a little forward planning and investment in IT security technology, IKEA could have avoided denting its reputation, it is hard to believe that IKEA reportedly did not close this security hole immediately but left it open for a further 5 days after they were warned about it by Jonas Thomsen," Sweeney added "Had IKEA installed behavioural analysis security software on its systems, then it could have locked down the spam email problem as soon as it had happened, and avoided blackening its name he added.

Désiré Athow

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.