We used to think of emails like a letter, in the sense that once sent they couldn’t be altered without serious and usually obvious efforts to do so. Well bad news, hackers now have a way to edit the contents of an email after they’ve already been sent to an inbox. Take that in for a moment and what the ramifications of such a hack would be for you or your company. The email exploit was discovered by Francisco Riberio of security company Mimecast, and named ROPEMAKER. The name is an acronym that stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky. For hackers such an exploit is a dream come true, especially for phishing schemes.
The exploit is primarily the result of the now accepted interaction of some standard web technologies, those being HTML and cascading style sheets (CSS). The current approach to stylizing webpages and by extension emails has made email an exploitable vector. This is mainly related to dynamically generated content. Many organizations use dynamically generated content for greater customization of an experience for their customers or clients. The development of CSS was a turning point for the internet, as it created a separation between content and styling. There was even the opportunity to host the document for styling in a whole other location which could be called upon via the HTML file. If you’ve ever had a slow internet connection, you’ve likely seen how the content may load first then styling.
In a normal scenario, CSS is only used for styling the aesthetic of an email, this being layout, colors, and fonts. However, CSS is also able to control content, not just presentation. The exploit is very simple, if a malicious actor sends a HTML email to a user with a line of code that calls a CSS document remotely, they can change the content of the email at will anytime. This relies on the email client on the receiver’s end automatically connecting with remote CSS, many email clients do allow for automatic connection unfortunately. The most widely adopted clients are vulnerable to this exploit including Microsoft Outlook and popular open-source alternative Mozilla Thunderbird.
For hackers this exploit provides a lot more flexibility in their phishing schemes and could prove to be valuable in a hacker’s toolkit. Since HTML and CSS are basic level languages for hackers, even amatuar hackers can try their hand at it. Aside from external threats, it would seem this exploit significantly amplifies the impact a malicious insider could have. Below are a few scenarios where this exploit could be used.
The Enhanced Targeted Phishing Email
John is working as a Project Manager at XYZ Corp. He’s currently managing four projects at once. He brushes off some anonymous views to his Linkedin since he is often a point of contact to many people. He receives an email, with a read receipt, on his Outlook mail client about an unpaid invoice. The email though doesn’t seem to have an attachment, but instead asks him to escalate the issue to his manager. Instead, once the email is forwarded to his manager, the email now instead appears to be from one of their existing clients and complains about terrible service regarding missing credentials for their account. The manager in a sudden panic gets the credentials and provides it to the hacker. Nothing happens at first, but 8 weeks later their larger client is on the receiving end of a major data breach.
The Malicious Insider
Jake is unsatisfied with his Operations Director position at E Corp and seems to be frustrated with the rise of another peer in the company. Additionally, Jake is financially in some trouble, which has been noticed by competitors from his ranting on social media accounts. He is offered a higher paying position at Z Corp with significantly more influence, if he acquires some valuable information from a product E Corp is currently developing. If he gets caught, Z Corp has said the deal is off the table. Jake understanding the scope of each person’s role in the company, decides to target key employees with a few HTML-based emails that get passed around and altered via Jake’s CSS with each exchange until an employee unintentionally leaks the sensitive information to an external email address, one that Jake set up. He uses the external untracked email address to deliver the sensitive information to Z Corp. Nine weeks later after quiting E Corp, he’s made COO at Z Corp.
Email content that’s dynamic and able to change with a few keystrokes remotely make for a world of dangerous scenarios. Those organizations who are worried about insider threats need to be aware of this and if possible only allow plain text emails to flow through your organization. Yes, it’s not as appealing or flashy, but it’s far safer for you in the long run. More information can be found about the ROPEMAKER exploit here. Do you see a chance for this exploit to be used in your organization? If so, do you have any sort of email monitoring solution in place?