Tier-3 said that Ikea had recently closed a serious security hole that gave hackers and phishers full access to its email servers, allowing them to send bulk email from the furniture giant's systems.
Geoff Sweeney, chief technology officer at Tier-3, said that the most troubling aspect is that the flaw allowed hackers to use Ikea as a launch pad to send specially targeted emails containing zero-day Trojans or root-kits.
The emails could pass through almost all email and anti-spam filters as they come from a perfectly genuine Ikea domain.
Sweeney warned that the sinister aspect of this type of attack is that it is targeted at specific people in an organisation.
When emails appear from a trusted source, and can evade the latest antivirus signatures, there is a chance that an organisation's entire security defence will be beaten.
"Ikea's problems were caused because the contact template on the firm's home page was inadequately secured, allowing hackers to insert alternative email addresses in a contact form," said Sweeney.
"This basically allowed anyone with a little technical knowledge to generate millions of phishing and/or spam messages from Ikea's mail servers using a simple script."
The potential damage to the company's reputation, and the possibility of email blacklisting, could be significant, according to the security expert.
"This is a classic case of where, with a little forward planning and investment in IT security technology, Ikea could have avoided denting its reputation," he said.
"It is hard to believe that Ikea reportedly did not close this security hole immediately but left it open for a further five days after being warned about it."
Ikea rapped for flat-pack spam
By Clement James on Jan 23, 2008 3:13PM