Hackers can change your email's content after you send it

Researchers find a way for hackers to alter emails after they've been sent to an inbox

New research has thrown light on an email exploit that hackers can use to change the content of a message, after it has been delivered to your inbox.

Dubbed Ropemaker by security company Mimecast, the attack scenario allows malicious parties to alter what is displayed in an email, for instance, editing text or swapping a harmless URL with a link to malware.

The exploit is based on the idea that an attacker sends an HTML email to the victim, but uses the CSS code - normally used to direct the presentation style of a web page - to leverage a remote file hosted on the attacker's server.

"A CSS file can be used locally with the markup language file or accessed remotely across the network (generally the Internet)," Mimecast's report reads. "And of course, the key of this exploit is from a security point of view, is that part of the system is controlled in an untrusted zone."

In a couple of examples given by Mimecast, a remote CSS code is first used to switch a URL address in an email message, then to send a matrix of ASCII text that can be selectively controlled by change what is displayed. This latter scenario would essentially allow an attacker to edit the text of an email, adding or removing sentences and external links.

Brian Robison, senior director of security technology at Cylance, notes that Ropemaker isn't the first exploit to make malicious use of CSS on web pages. "Phishing emails have been taking advantage of this for some time, including linking to the original source to make it look more legit. Example: You get an email from your bank; the email pulls the headers and logos directly from the bank's website; then the button is actually linked to different site entirely."

Ropemaker, which stands for the somewhat inelegant "Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky", might take CSS exploits to a new level, but don't start deleting all your emails just yet. Mimecast notes it hasn't yet seen Ropemaker in the wild, and tests on browser-based versions of Gmail, Outlook and iCloud showed those platforms were not susceptible to the exploit. Mimecast does claim, however, that desktop and mobile versions of the Microsoft Outlook app, desktop and mobile versions of Apple Mail, and Mozilla Thunderbird, were all susceptible.

Many email clients strip out header tags for emails in HTML formats, including tags that call for remote CSS files. If push came to shove, individuals or company admins could block remote CSS resources from loading. In response to a draft of the report, Apple notes that users can disable remote content in emails by navigating Mail | Preferences | Viewing, then unchecking "Load remote content in messages".

Security analyst Graham Cluley told Alphr it's good practice to be wary of unsolicited emails from unfamiliar contacts "and to hover your mouse over links before clicking on them to determine where they will be taking you".

"[The exploit] is certainly inventive," he added, "but perhaps not quite as creative as the hard work Mimecast put in constructing the Ropemaker acronym".

This article originally appeared on IT Pro's sister site, Alphr

Picture credit: Bigstock

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

AOL users are the target of a new phishing campaign
phishing

AOL users are the target of a new phishing campaign

1 Mar 2021
What is cloud-to-cloud backup?
cloud backup

What is cloud-to-cloud backup?

1 Mar 2021
Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021