BEC The tracking pixel in service of cybercrime Cybercriminals have adopted the marketing tool for information collection. Roman Dedenok September 8, 2020 Attackers tend to do painstaking groundwork to engineer business e-mail compromise attacks (BECs). When they pose as someone authorized to transfer funds or send confidential information, their messages need to look as close to legitimate as possible. Details matter. We recently got our hands on an interesting example of an e-mail sent to a company employee in an attempt to start a conversation. The text is fairly cut and dried for the type of e-mail in question. The attacker makes it clear that the sender is in a meeting, so not available by other means of communication. They do that to discourage the recipient from checking if they are indeed corresponding with the person whose name appears in the signature. Seeing as the attackers did not try to hide the fact that the e-mail was sent from a public e-mail service, they either knew that the person they were imitating used the service or expected that it was normal for the company to use third-party e-mail for business correspondence. Something else caught our attention, though: the “Sent from my iPhone” signature. That signature is iOS Mail’s default for outgoing messages, yet the technical headers suggest the message was sent through the Web interface, and specifically from the Mozilla browser. Why did the attackers try to make the e-mail appear to have been sent from an Apple smartphone? The automatic signature might have been added to make the message look respectable. That is not the most elegant of tricks, though. BEC attacks most frequently appear to come from a coworker, and the chances are good that in this case, the recipient knew what type of device that person used. So, the criminals must have known what they were doing. But how could they? In fact, it is not difficult. All it takes is some reconnaissance using a so-called tracking pixel, also known as a Web beacon. What a tracking pixel is and why it is used As a rule, companies that send bulk e-mail to customers, partners, or readers — almost every company, that is — want to know the level of engagement they achieve. In theory, e-mail has a built-in option for sending read receipts, but recipients must consent to its use, which most people do not. So, clever marketing people came up with the tracking pixel. A tracking pixel is a tiny image. At just one pixel by one pixel, it’s indiscernible to the eye, and it lives on a website, so when an e-mail client application requests the image, the sender who controls the site receives confirmation that the message was opened as well as the IP address of the receiving device, the time when the e-mail was opened and information about the program that was used to open it. Have you ever noticed your e-mail client doesn’t display images until you click a link to download them? That’s not to boost performance or limit traffic. In fact, automatic image downloads are typically turned off by default for security reasons. How can a cybercriminal take advantage of the tracking pixel? Here’s one scenario: While traveling abroad, you get a message in your work inbox that looks relevant to your business. As soon as you realize it’s just an unwanted solicitation, you close it and trash it, but in the meantime, the attacker learns: You are in another country, judging by your IP address. That means personal contact with coworkers is difficult. Thus, you may be a safe person to imitate; You are using an iPhone (you opened the message with Mail for iOS), so adding a “Sent from my iPhone” signature will add credibility to the fake e-mail; You read the e-mail at 11 AM. That alone is not important, but if you collect messages regularly, the cybercriminals will be able to figure out your schedule and time an attack to coincide with a period when you tend to be unavailable. How can you defuse those insights? Protecting oneself from tracking is difficult. That does not mean you should make cybercriminals’ lives easier, though. We suggest following these tips: If your e-mail client prompts you to “click here to download pictures,” that means the visual content has been blocked for reasons of privacy. Think before you allow it. The e-mail may look ugly without images, but by giving your consent to downloading those, you provide information about yourself and your device to strangers; Do not open e-mail that lands in your spam folder. Modern spam filters have an extremely high level of accuracy, especially if your e-mail server is protected by our technology; Be careful with B2B mass mailings. It is one thing when you deliberately subscribe to a company’s updates, but rather different when an e-mail comes from an unknown company, for unknown reasons. In the latter case, it is better not to open the message; Use robust solutions with advanced antispam and antiphishing technologies to protect your corporate e-mail. Both Kaspersky Total Security for Business (Kaspersky Security for Microsoft Exchange Servers, Kaspersky Security for Linux Mail Server and Kaspersky Secure Mail Gateway components) and Kaspersky Security for Microsoft Office 365 include our antispam and antiphishing technology.
Read next Cybersecurity – the new dimension of automotive quality Modern computerized car require a secure-by-design platform. And that’s just what we’ve come up with.
Tips How to set up security and privacy in Strava Want to keep your runs, rides, and hikes private on Strava? This guide will walk you through the essential privacy settings in this popular fitness app.
Tips Run for your data: Privacy settings in jogging apps Running apps know a lot about their users, so it’s worth setting them up to ensure your data doesn’t fall into the wrong hands. Here’s how.
Tips When you get a login code for an account you don’t have What to do if you receive a text with a two-factor authentication code from a service you’ve never registered for.
Tips School and cyberthreats Why cybersecurity in education is critical, and how to protect schools from attacks.