Tracking pixels can be used to compromise enterprise security

/in /by

Tracking pixels, or beacons, are widely used in email advertising, but a more subtle and dangerous use is possible.

Tracking pixels are basically very small images (usually invisible to the human) embedded in the email, whose content is loaded from a server when the email is opened.

When your email client loads this image from the server, the server knows that you opened the email. In email marketing this is used to get an approximate count of the open rate of an advertising campaign (how many recipients opened the email) and to keep track of “active” recipients, recipients who receive emails in the inbox and open them.

There are other more subtle uses of the information that tracking pixels leak. When the email client (or the browser) loads the email, the following information can be collected by the server:

  • Identity of the recipient opening the email (at least the email address the email has been sent to)
  • Time and day
  • IP address
  • Information about the mail client or browser and the operating system (or device)

This information is not valuable only for marketing purposes but it can be very valuable also for malicious uses, like targeted phishing attacks.

Let’s make an example: by sending an email to your company’s CEO and getting the email beacon at 8:12 AM from the IP address of a hotel in eastern Europe, the attacker knows that the CEO is currently on a business trip in this place.

At this point a Business Email Compromise (BEC, or Whaling) attack can be performed by sending an email back to the office, impersonating the CEO and requesting an urgent money transfer or a classified internal document related to the trip. The knowledge of these details can make the phishing message quite credible and effective.

With tracking pixels the attacker can gather information about movements of executives, habits of employees, about who is on holiday and who isn’t and, with some additional intelligence, can infer company strategies and secrets: a meeting at a lawyers office or with a specific partner can reveal the progress status of a secret negotiation or deal.

Many email clients don’t open images by default but the user can be easily tricked into displaying images. The best defense is to disarm such beacons before the email is delivered, which is what Libra Esva does.

 

Targeted attacks through mobileconfig attachments

/in /by

We spotted an instance of what appears to be a targeted attack through a phishing email delivering a .mobileconfig file. This is a file format used to deliver configurations to iphones.

The attack originates from domain that appears to have been created just for this purpose.

This is how the email appears to the recipient:

The attachment of course is not an order but the mobileconfig file.

Here are the email source headers of this email coming from the domain jimgyow.com, I’ve redacted the information about the recipient:

 

The attachment is a file named [email protected] whose content is displayed in the following image:

Once opened, the file will automatically configure, on the victim’s iphone, a new email account for the address [email protected]. The configuration file does not provide the password, which will then be prompted to the user and submitted to the mail server controlled by the attacker.

The configuration file is signed with a valid certificate issued to jimgyow.com:

If you have information about other uses of this attack vector, we’d be happy to hear from you. Just use the “contact us” form on this website.

 

 

Rodolfo Saccani, security R&D manager at Libra Esva