How often have you received an email (or for that matter an instant message) with marketing graphics embedded into it? I am guessing all the time? These marketing graphics are image files (GIF, JPG, PNG) that are added to the message.
Cyber criminals often include images in their phishing messages to represent the branding of the company they are impersonating. A cursory look at a message may deceive you into thinking it is from your bank or another company you deal with on a regular basis.
Images can also be used to bypass anti-malware scans by embedding text in an image format. As most malware scans start by scanning the text for tell-tale signs that it is a fake, if that text is written into an image it is harder for the malware scanner to detect the threat. This has changed recently where a lot of anti-malware scanners use image analysis to try to detect the threat. Cryptographic hashing algorithms make it easy for email filters to detect identical images. However, detecting similar images requires complex and costly algorithms. For this reason, cybercriminals often manipulate images slightly by adjusting their compression level, colorimetry or geometry to bypass email filters. The end goal of this is to make each image unique in order to circumvent signature-based anti-malware technologies. As this technique has grown in popularity though, email security vendors have improved their ability to extract and analyse content from images.
Images can also be delivered through a remote web link (e.g. an https URL), which is then downloaded by the messaging client when you open the message. There is no file to extract and analyse using the above techniques. An example is below.
In the first image you can see the full formatted email with marketing graphics from LastPass. The second image shows all the web links and specifically those for the images on the left highlighted in orange. I have redacted other links in the email as these may expose private information.
When you open the email for the first time, the email client parses the email HTML content and initiates a download of all externally hosted images. If there is a download link for another file type, these are usually ignored. There is sometimes a delay in displaying these images and this is a tell-tale sign that a download is in progress.
Where these images replace the text, now the anti-malware services have difficulty in finding something to analyse. It is probably only a matter of time before anti-malware application providers find a way to work around this, but for now it is a serious threat.
What else can these be used for?
In previous blogs we have talked about email tracking. In summary (look at the related blog for details), you can be tracked using:
- Remote Images
- Read/Delivery Receipts
- Embedded Links.
In a remote image the email client contacts the web server to download the link. As part of that download link can be embedded tracking information that can relate to your email address. As a result the web server knows which email address the message was delivered to and now knows it is an active email address.
Email addresses can be:
- Active – in which case someone is regularly receiving and reading emails sent to that email address
- Dormant – where the email address is live, but not being regularly accessed to read email
- Dead/Deleted – where the email address no longer exists.
In the third the email is bounced back to the sender as undeliverable. The other two the sender knows that the email is live. The best case is for the email to be response to or, as in this case, a link is executed to tell the sender that the email address is active.
The same exists for SMS and Instant messengers (e.g. Signal, Telegram) that rely on cell numbers.
The image can also use a open redirect, for example using a Google Advert, to provide legitimacy to the download link fooling the anti-malware application into thinking it is a legitimate adverts form Google. The link will be seen by the anti-malware scanner, but unless is looks at the embedded link (example below) it won’t know if the
How can I defend against this?
You need to switch off the ability for remote images to be downloaded in your email/IM client. Outlook is a popular email client in business environments and the appropriate settings can be found in Trust Centre (see below). Unfortunately the native Outlook app delivered with windows 10 does not have these controls.
Other email clients will have similar controls as will Instant messengers (for example look in Settings/Data Storage on Signal messenger and Settings/Storage and Data on WhatsApp).
You can also set your spam filers on your email client to send any email not sent from a contact or the safe senders list to spam. Typically when this happens all links are disabled and you see the web full links for the remote images (this is how I created the LastPass images above). In Outlook look in Home Ribbon/Junk/Junk Email Options for the appropriate controls. Other email clients will have similar controls either as part of settings or under specific junk email controls.
You can also force your email client to display all incoming messages in plain text (for Outlook see here how to do this using Trust Centre).
There is a constant war of attrition between cyber criminals and the cyber security community to develop counter measures for cyber attacks. As cyber criminals find a new exploit, the cyber security community find ways to mitigate the threat. As cyber security professions find better ways to detect cyber attacks, the cyber criminals will find different attack vectors to exploit. It’s a tug-of-war that never ends in either side winning out in the long term.
Mitigations you can use to help protect yourself from these threats are:
- Apply appropriate Junk Email controls
- Apply email/IM client controls to not automatically download media (that applies to images, audio and video)
- Apply appropriate malware defences to scan all inbound emails for threats
- Display all incoming emails in plain text.
If you are a business, you can also apply anti-malware and spam controls on your email gateway.
You can also use services like Have I Been Pwned to detect when your email address has been disclosed in a data breach, although this in not infallible. I am still trying to find a similar trustworthy service that detected disclosed cell numbers.
Once an email/IM is read, and all images downloaded, it is too late to do anything about it. You have been tracked and the sender knows your email address/cell number are active. They can now use this information to launch additional cyber attacks such as Phishing and Business Email Compromise attacks as well as several attacks that can be made with just your cell number.
You should also educate yourself about how to detect cyber attacks – see our blog The Human Firewall for more info.
Prevention is always better than a cure.
Outlook images and Outlook versions 2019, 2016, 2013, 2010, 2007, 2003, Outlook for Microsoft 365, and Outlook for Mac Copyright © Microsoft Corporation
Shopify logo and graphics Copyright © Shopify
References to the above companies does not constitute an endorsement of their products.