ROPEMAKER Email exploit

A new Email exploit has been discovered by security researchers at mimecast using which a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want.

Dubbed Ropemaker (stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky) ,  it abuses Cascading Style Sheets (CSS) and Hypertext Markup Language (HTML).

This remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users.

Since CSS is stored remotely, researchers say an attacker can change the content of an email through remotely initiated changes made to the desired ‘style’ of the email that is then retrieved remotely and presented to the user, without the recipient knowing about it.

switch-email-goodurl---edited-002
Switching a good URL
switch-email-badurl---edited-002
Switched to a Bad URL
Using this exploit attackers could replace a URL that originally directed the user to a legitimate website by a malicious one that sends the user to a compromised site designed to infect users with malware or steal sensitive info, such as their credentials and banking details.

While some systems are designed to detect the URL switch preventing users from opening up the malicious link, other users could be left at a security risk.

Another attack scenario, called “Matrix Exploit” by the Mimecast, is more sophisticated than the “Switch Exploit”, and therefore much harder to detect and defend against.

In a Matrix Exploit attack, attackers would write a matrix of text in an email and then use the remote CSS to selectively control what is displayed, allowing the attacker to display whatever they want—including adding malicious URLs into the body of the email.

This attack is harder to defend against because the initial email received by the user does not display any URL, most software systems will not flag the message as malicious.

“Since the URL is rendered post-delivery, an email gateway solution such as Mimecast cannot find, rewrite, or inspect the destination site on-click, because at the time of delivery there would be no URL to detect,” the report reads. “To do so would require the interpretation of CSS files, which is beyond the scope of current email security systems.”
To protect themselves from such attacks, users are recommended to rely on web-based email clients like Gmail, iCloud and Outlook, which aren’t affected by Ropemaker-style CSS exploits, according to Mimecast.

However, email clients like the desktop and mobile version of Apple Mail, Microsoft Outlook, and Mozilla Thunderbird are all vulnerable to the Ropemaker attack.

Advertisements

Author: Cognore

Cyber Security Solution

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s