This hack lets attackers change what’s written in emails AFTER they’ve been sent
New research has thrown light on an email exploit that hackers can use to change the content of a message, after it has been delivered to your inbox.
Dubbed Ropemaker by security company Mimecast, the attack scenario allows malicious parties to alter what is displayed in an email, such as editing text or swapping a harmless URL with a link to malware.
The exploit is based on the idea that an attacker sends an HTML email to the victim, but uses the CSS code – normally used to direct the presentation style of a web page – to leverage a remote file hosted on the attacker’s server.
“A CSS file can be used locally with the markup language file or accessed remotely across the network (generally the Internet),” Mimecast’s report reads. “And of course, the key of this exploit is from a security point of view, is that part of the system is controlled in an untrusted zone.”
In a couple of examples given by Mimecast, a remote CSS code is first used to switch a URL address in an email message, then to send a matrix of ASCII text that can be selectively controlled by change what is displayed. This latter scenario would essentially allow an attacker to edit the text of an email, adding or removing sentences and external links.
Brian Robison, senior director of security technology at Cylance, notes that Ropemaker isn’t the first exploit to make malicious use of CSS on web pages. “Phishing emails have been taking advantage of this for some time, including linking to the original source to make it look more legit. Example: You get an email from your bank; the email pulls the headers and logos directly from the bank’s website; then the button is actually linked to different site entirely.”
Ropemaker, which stands for the somewhat inelegant “Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky”, might take CSS exploits to a new level, but don’t start deleting all your emails just yet. Mimecast notes it hasn’t yet seen Ropemaker in the wild, and tests on browser-based versions of Gmail, Outlook and iCloud showed those platforms were not susceptible to the exploit. Mimecast does claim, however, that desktop and mobile versions of the Microsoft Outlook app, desktop and mobile versions of Apple Mail, and Mozilla Thunderbird, were all susceptible.
Many email clients strip out header tags for emails in HTML formats, including tags that call for remote CSS files. If push came to shove, individuals or company admins could block remote CSS resources from loading. In response to a draft of the report, Apple notes that users can disable remote content in emails by navigating Mail | Preferences | Viewing, then unchecking “Load remote content in messages”.
Security expert Graham Cluley told Alphr it’s good practice to be wary of unsolicited emails from unfamiliar contacts “and to hover your mouse over links before clicking on them to determine where they will be taking you”.
“[The exploit] is certainly inventive,” he added, “but perhaps not quite as creative as the hard work Mimecast put in constructing the Ropemaker acronym”.