Hackers using Pixel tracking to gather Pre-Hack data

A simple email marketing trick used by marketers and advertisers to track web users and email recipients have also been abused by cybercriminals and online spies to gather information on possible targets or to improve the efficiency of phishing attacks, both mass and targeted in scope.

“We’ve seen a lot more use of this tactic recently as a probing or information-gathering tool,” by phishers and other cyber criminals, said Donald Meyer of Check Point Software Technologies Ltd.

Pixel tracking is a decades-old email marketing technique that relies on embedding a one-by-one pixel image, usually transparent or of the same colour of the email’s background which prevents users from noticing them in most cases. Tracking pixels or web beacons are downloaded when a user opens an email or visits a website unless the user blocks the loading of images inside his emails which lets the advertiser know a user has opened one of its emails.

With a code as simple as  “<img src=”http://example.com/cgi-bin/program?e=email-address”>”, the marketing tools ping a website whenever someone downloads an image.

Because of the way most email programs and web browsers work, tracking pixels, once downloaded, can collect and report information about the user’s email address, operating system, device, software, IP address, hostname, cookie usage settings, usage of webmail and date and time of opening the email. Email marketers can use this data to measure the effectiveness of their campaigns. Advertisers can also use it to compile data about the hardware and software their targets employ.

Unfortunately, everything which makes tracking pixels great for marketers and advertisers — unobtrusiveness, automaticity and the amount of data captured — also makes them great for hackers’ reconnaissance. Using the same trick if a hacker gets hold of all this information, they can abuse it to carry out malicious campaigns.

“In phishing attacks, tracking pixels can be used to learn which recipients are most likely to open scam emails. Since some scammers retool mass phishing attacks against random users to target high-value enterprise users, scammers are turning to pixel tracking to increase the odds a spear phishing attack will succeed…. Our security researchers have already discovered tracking pixels being used in the wild as a surveillance tool to gather information for use in phishing scams,” explained Meyer in a blog post on Monday (April 17).

Check Point detected tracking pixels used for a phishing campaign back in August 2016. The red “X’s” mark the location of the pixels, which email security tools prevented from loading properly. Hackers trying to break into a network have to explore its architecture first to find points of entry and ways to move around the system undetected. During this reconnaissance stage, an attacker will often send phishing emails to map out the network, locate potential weak points and figure out who in the organisation is most likely to open suspicious-looking mail and click on links or attachments.

Furthermore, if the employees of a company are all using webmail clients, it’s quite possible that the company uses a managed cloud service to handle many of its internal operations. An attacker that can identify that cloud platform could find it very easy to hone future attacks around vulnerabilities in that platform.

Fortunately, it’s not difficult to protect against this sneaky threat.

Unlike a full-fledged hacking attack, such a reconnaissance won’t involve any executable code, and will generally get under the security radar. Email programs should be set so they don’t automatically download images. To counteract this threat it is advisable to deploy email and anti-phishing security controls as part of your cloud-security arsenal. Continuous patch management and a healthy dose of scepticism around emails that contain anomalous image placeholders go a long way, too.

Leave a Reply