Hackers can change your email's content after you send it

Researchers find a way for hackers to alter emails after they've been sent to an inbox

New research has thrown light on an email exploit that hackers can use to change the content of a message, after it has been delivered to your inbox.

Dubbed Ropemaker by security company Mimecast, the attack scenario allows malicious parties to alter what is displayed in an email, for instance, editing text or swapping a harmless URL with a link to malware.

Advertisement - Article continues below

The exploit is based on the idea that an attacker sends an HTML email to the victim, but uses the CSS code - normally used to direct the presentation style of a web page - to leverage a remote file hosted on the attacker's server.

"A CSS file can be used locally with the markup language file or accessed remotely across the network (generally the Internet)," Mimecast's report reads. "And of course, the key of this exploit is from a security point of view, is that part of the system is controlled in an untrusted zone."

In a couple of examples given by Mimecast, a remote CSS code is first used to switch a URL address in an email message, then to send a matrix of ASCII text that can be selectively controlled by change what is displayed. This latter scenario would essentially allow an attacker to edit the text of an email, adding or removing sentences and external links.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Brian Robison, senior director of security technology at Cylance, notes that Ropemaker isn't the first exploit to make malicious use of CSS on web pages. "Phishing emails have been taking advantage of this for some time, including linking to the original source to make it look more legit. Example: You get an email from your bank; the email pulls the headers and logos directly from the bank's website; then the button is actually linked to different site entirely."

Ropemaker, which stands for the somewhat inelegant "Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky", might take CSS exploits to a new level, but don't start deleting all your emails just yet. Mimecast notes it hasn't yet seen Ropemaker in the wild, and tests on browser-based versions of Gmail, Outlook and iCloud showed those platforms were not susceptible to the exploit. Mimecast does claim, however, that desktop and mobile versions of the Microsoft Outlook app, desktop and mobile versions of Apple Mail, and Mozilla Thunderbird, were all susceptible.

Advertisement - Article continues below

Many email clients strip out header tags for emails in HTML formats, including tags that call for remote CSS files. If push came to shove, individuals or company admins could block remote CSS resources from loading. In response to a draft of the report, Apple notes that users can disable remote content in emails by navigating Mail | Preferences | Viewing, then unchecking "Load remote content in messages".

Security analyst Graham Cluley told Alphr it's good practice to be wary of unsolicited emails from unfamiliar contacts "and to hover your mouse over links before clicking on them to determine where they will be taking you".

"[The exploit] is certainly inventive," he added, "but perhaps not quite as creative as the hard work Mimecast put in constructing the Ropemaker acronym".

This article originally appeared on IT Pro's sister site, Alphr

Picture credit: Bigstock

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/security/ethical-hacking/356252/poorly-secured-banking-apps-lead-to-cyber-threats
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular

Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020