Hackers can change your email's content after you send it

Researchers find a way for hackers to alter emails after they've been sent to an inbox

New research has thrown light on an email exploit that hackers can use to change the content of a message, after it has been delivered to your inbox.

Dubbed Ropemaker by security company Mimecast, the attack scenario allows malicious parties to alter what is displayed in an email, for instance, editing text or swapping a harmless URL with a link to malware.

The exploit is based on the idea that an attacker sends an HTML email to the victim, but uses the CSS code - normally used to direct the presentation style of a web page - to leverage a remote file hosted on the attacker's server.

"A CSS file can be used locally with the markup language file or accessed remotely across the network (generally the Internet)," Mimecast's report reads. "And of course, the key of this exploit is from a security point of view, is that part of the system is controlled in an untrusted zone."

In a couple of examples given by Mimecast, a remote CSS code is first used to switch a URL address in an email message, then to send a matrix of ASCII text that can be selectively controlled by change what is displayed. This latter scenario would essentially allow an attacker to edit the text of an email, adding or removing sentences and external links.

Brian Robison, senior director of security technology at Cylance, notes that Ropemaker isn't the first exploit to make malicious use of CSS on web pages. "Phishing emails have been taking advantage of this for some time, including linking to the original source to make it look more legit. Example: You get an email from your bank; the email pulls the headers and logos directly from the bank's website; then the button is actually linked to different site entirely."

Ropemaker, which stands for the somewhat inelegant "Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky", might take CSS exploits to a new level, but don't start deleting all your emails just yet. Mimecast notes it hasn't yet seen Ropemaker in the wild, and tests on browser-based versions of Gmail, Outlook and iCloud showed those platforms were not susceptible to the exploit. Mimecast does claim, however, that desktop and mobile versions of the Microsoft Outlook app, desktop and mobile versions of Apple Mail, and Mozilla Thunderbird, were all susceptible.

Many email clients strip out header tags for emails in HTML formats, including tags that call for remote CSS files. If push came to shove, individuals or company admins could block remote CSS resources from loading. In response to a draft of the report, Apple notes that users can disable remote content in emails by navigating Mail | Preferences | Viewing, then unchecking "Load remote content in messages".

Security analyst Graham Cluley told Alphr it's good practice to be wary of unsolicited emails from unfamiliar contacts "and to hover your mouse over links before clicking on them to determine where they will be taking you".

"[The exploit] is certainly inventive," he added, "but perhaps not quite as creative as the hard work Mimecast put in constructing the Ropemaker acronym".

This article originally appeared on IT Pro's sister site, Alphr

Picture credit: Bigstock

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
CMS platforms succumb to KashmirBlack botnet as businesses rush online
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
How to wipe a laptop easily and securely
Security

How to wipe a laptop easily and securely

5 Oct 2020