Dridex malware targets users with a fake IKEA receipt

12 New Malware Types Discovered Every 60 Seconds
October 28, 2015
Chinese malware active in American systems
October 30, 2015

The developers of the infamous Dridex malware have stepped up a gear in their creative means to get around law enforcement by tailoring a new spam campaign using IKEA’s brand name.

Dridex malware developers have launched a new spam campaign today by sending emails purporting to be one from IKEA, to targeted users, reports Heimdal Security.

Dridex was first spotted late last year in a spam campaign that generated as many as 15,000 phishing emails a day. Predominantly targeting UK users, the malware strain has also spread across Europe and other countries beyond the continent.

The FBI dealt a blow to the malware operation earlier this month, but the malware strain has still been spotted in the wild since the takedown.

The Furniture-Store Scam

The email contains a receipt that could potentially trick even bird-eyed viewers who could otherwise sniff a spam or a phishing campaign.

Ikea Spam email

The spam message is even crafted from the address “DoNotReply @ ikea.com,” according to Heimdal researchers who discovered the malicious spam campaign. The researchers not that email servers that aren’t properly configured with the best security practices expected in a company with a large customer base has likely resulted in the seemingly legitimate email address from the malware authors.

Once a targeted victim falls for the embedded attachment within the receipt email, things predictably take a turn for the worse, quickly.

  • Opening the attachment, usually a Microsoft word file, the macros (bits of computer code) embedded in the document will activate the payload.
  • This trigger downloads the Dridex malware and executes it.
  • When the targeted system is infected by the malware strain, the attackers begin to harvest user credentials, predominantly usernames, passwords and card details of the victim.

Unsurprisingly, Dridex primarily targets banks as a part of the latest campaign. The malware also passes through nearly every antivirus definition check available and in use by most end-users, as tests reveal the uniquely coded strain to predominantly avoid detection.

A recent check on anti-virus engine VirusTotal shows the Dridex strain to only show up as malware in 3 out of 54 engines.


Heimdal security tells Hacked that IKEA have been notified of the vulnerable and improperly configured email servers but changes to improve upon its cybersecurity measures haven’t been implemented.

Request Demo