Research has found a security threat that enables cyber attackers to change remotely the content of emails anytime post-delivery.
The threat, called ROPEMAKER, hasn’t yet been executed in the wild, however, it is capable of avoiding an organisation’s security in order to deliver malicious emails.
Attacks via email are incredibly common, with businesses seeing a vast increase in the volume of cyber-attacks by this vector, including, ransomware, phishing and impersonation fraud.
WannaCry and Petya are two examples of devastating email based attacks, which is why businesses need to act and take the necessary steps to safeguard against this.
Peter Kosinar, ESET Technical Fellow, took a look at what this cyber threat really does and how to avoid being caught out by attacks like this.
“The fact that HTML+CSS allows one to obfuscate visible content has been known to spammers and phishers for ages.
“Marketing resources have also come up with creative ideas of how to track if the e-mail has been opened by including tracking pixels or other remote content into e-mails.
“By doing this they can make the user's e-mail client make a request for the remote resource, which they can then keep track of.
“These two parts are what ROPEMAKER is essentially about; it combines the visualisation power of CSS with the fact that it can be included remotely.”
It's pretty far from being the end of the world though:
“The e-mail does not change after it has arrived.
“Yes, its visual presentation can change and that can include clickable links within the e-mail, however, all the content of the e-mail is actually present on the computer and thus available for inspection by a security product installed on the machine.
“As such, nothing prevents it from being detected.
“Still, regardless of what the e-mail looks like, if it contains a bad link and the user clicks on it, the user's e-mail client will either open a browser or make the HTTP/FTP/whatever request directly, but again, this will have been seen by the security product.
“According to my knowledge, the possibilities of modification of the visual presentation provided by CSS are limited.
“In particular, it should not allow complex computations to be performed in order to obscure the actual values of HTML elements, unlike, for example, a piece of arbitrary Javascript code.
“This forces the "bad link" or other harmful content to be present in a form that can be easily recognized as harmful.”
Does your business have protocols in place to deal with malicious emails? Let us know on Twitter @ESETUK.
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.