The tracking pixel in service of cybercrime

Attackers tend to do painstaking groundwork to engineer business e-mail compromise attacks (BECs). When they pose as someone authorized to transfer funds or send confidential information, their messages need to look as close to legitimate as possible. Details matter.

We recently got our hands on an interesting example of an e-mail sent to a company employee in an attempt to start a conversation.

E-mail written by cybercriminals.

The text is fairly cut and dried for the type of e-mail in question. The attacker makes it clear that the sender is in a meeting, so not available by other means of communication. They do that to discourage the recipient from checking if they are indeed corresponding with the person whose name appears in the signature. Seeing as the attackers did not try to hide the fact that the e-mail was sent from a public e-mail service, they either knew that the person they were imitating used the service or expected that it was normal for the company to use third-party e-mail for business correspondence.

Something else caught our attention, though: the “Sent from my iPhone” signature. That signature is iOS Mail’s default for outgoing messages, yet the technical headers suggest the message was sent through the Web interface, and specifically from the Mozilla browser.

Why did the attackers try to make the e-mail appear to have been sent from an Apple smartphone? The automatic signature might have been added to make the message look respectable. That is not the most elegant of tricks, though. BEC attacks most frequently appear to come from a coworker, and the chances are good that in this case, the recipient knew what type of device that person used.

So, the criminals must have known what they were doing. But how could they? In fact, it is not difficult. All it takes is some reconnaissance using a so-called tracking pixel, also known as a Web beacon.

What a tracking pixel is and why it is used

As a rule, companies that send bulk e-mail to customers, partners, or readers — almost every company, that is — want to know the level of engagement they achieve. In theory, e-mail has a built-in option for sending read receipts, but recipients must consent to its use, which most people do not. So, clever marketing people came up with the tracking pixel.

A tracking pixel is a tiny image. At just one pixel by one pixel, it’s indiscernible to the eye, and it lives on a website, so when an e-mail client application requests the image, the sender who controls the site receives confirmation that the message was opened as well as the IP address of the receiving device, the time when the e-mail was opened and information about the program that was used to open it. Have you ever noticed your e-mail client doesn’t display images until you click a link to download them? That’s not to boost performance or limit traffic. In fact, automatic image downloads are typically turned off by default for security reasons.

How can a cybercriminal take advantage of the tracking pixel?

Here’s one scenario: While traveling abroad, you get a message in your work inbox that looks relevant to your business. As soon as you realize it’s just an unwanted solicitation, you close it and trash it, but in the meantime, the attacker learns:

  • You are in another country, judging by your IP address. That means personal contact with coworkers is difficult. Thus, you may be a safe person to imitate;
  • You are using an iPhone (you opened the message with Mail for iOS), so adding a “Sent from my iPhone” signature will add credibility to the fake e-mail;
  • You read the e-mail at 11 AM. That alone is not important, but if you collect messages regularly, the cybercriminals will be able to figure out your schedule and time an attack to coincide with a period when you tend to be unavailable.

How can you defuse those insights?

Protecting oneself from tracking is difficult. That does not mean you should make cybercriminals’ lives easier, though. We suggest following these tips:

  • If your e-mail client prompts you to “click here to download pictures,” that means the visual content has been blocked for reasons of privacy. Think before you allow it. The e-mail may look ugly without images, but by giving your consent to downloading those, you provide information about yourself and your device to strangers;
  • Do not open e-mail that lands in your spam folder. Modern spam filters have an extremely high level of accuracy, especially if your e-mail server is protected by our technology;
  • Be careful with B2B mass mailings. It is one thing when you deliberately subscribe to a company’s updates, but rather different when an e-mail comes from an unknown company, for unknown reasons. In the latter case, it is better not to open the message;
  • Use robust solutions with advanced antispam and antiphishing technologies to protect your corporate e-mail.

Both Kaspersky Total Security for Business (Kaspersky Security for Microsoft Exchange Servers, Kaspersky Security for Linux Mail Server and Kaspersky Secure Mail Gateway components) and Kaspersky Security for Microsoft Office 365 include our antispam and antiphishing technology.