Hackers can change your email's content after you send it

Researchers find a way for hackers to alter emails after they've been sent to an inbox

New research has thrown light on an email exploit that hackers can use to change the content of a message, after it has been delivered to your inbox.

Dubbed Ropemaker by security company Mimecast, the attack scenario allows malicious parties to alter what is displayed in an email, for instance, editing text or swapping a harmless URL with a link to malware.

The exploit is based on the idea that an attacker sends an HTML email to the victim, but uses the CSS code - normally used to direct the presentation style of a web page - to leverage a remote file hosted on the attacker's server.

"A CSS file can be used locally with the markup language file or accessed remotely across the network (generally the Internet)," Mimecast's report reads. "And of course, the key of this exploit is from a security point of view, is that part of the system is controlled in an untrusted zone."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

In a couple of examples given by Mimecast, a remote CSS code is first used to switch a URL address in an email message, then to send a matrix of ASCII text that can be selectively controlled by change what is displayed. This latter scenario would essentially allow an attacker to edit the text of an email, adding or removing sentences and external links.

Brian Robison, senior director of security technology at Cylance, notes that Ropemaker isn't the first exploit to make malicious use of CSS on web pages. "Phishing emails have been taking advantage of this for some time, including linking to the original source to make it look more legit. Example: You get an email from your bank; the email pulls the headers and logos directly from the bank's website; then the button is actually linked to different site entirely."

Ropemaker, which stands for the somewhat inelegant "Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky", might take CSS exploits to a new level, but don't start deleting all your emails just yet. Mimecast notes it hasn't yet seen Ropemaker in the wild, and tests on browser-based versions of Gmail, Outlook and iCloud showed those platforms were not susceptible to the exploit. Mimecast does claim, however, that desktop and mobile versions of the Microsoft Outlook app, desktop and mobile versions of Apple Mail, and Mozilla Thunderbird, were all susceptible.

Many email clients strip out header tags for emails in HTML formats, including tags that call for remote CSS files. If push came to shove, individuals or company admins could block remote CSS resources from loading. In response to a draft of the report, Apple notes that users can disable remote content in emails by navigating Mail | Preferences | Viewing, then unchecking "Load remote content in messages".

Security analyst Graham Cluley told Alphr it's good practice to be wary of unsolicited emails from unfamiliar contacts "and to hover your mouse over links before clicking on them to determine where they will be taking you".

"[The exploit] is certainly inventive," he added, "but perhaps not quite as creative as the hard work Mimecast put in constructing the Ropemaker acronym".

Advertisement - Article continues below

This article originally appeared on IT Pro's sister site, Alphr

Picture credit: Bigstock

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020