Simple Exploitation Allows Attackers to Change Email Content – Even Once Sent!


Security researchers warn about new, easy-to-communicate email tricks that allow attackers to change seemingly unreasonable emails into malicious ones after being sent to your email inbox. Dump Ropemaker (short for Remotely Originated Post – delivery Email Manipulation Attacks Keeping Email Risky), the trick is revealed by researchers at the email security firm and the Mimecast cloud.

The Hacker News reported successful exploitation of Ropemaker attacks allowed attackers to modify the content of emails that attackers send remotely, such as swapping URLs with malicious ones. This can be done even after the email is sent to the recipient. And make it through all the necessary spam and security filters, without requiring direct access to the recipient’s oremail computer application, which reveals hundreds of millions of users of desktop email clients against malicious attacks. Copyright copyright Cascading Style Sheets (CSS) and Hypertext Markup Language (HTML) That’s a fundamental part of the way information is presented on the Internet.

“The origin of Ropemaker is located at the intersection of email and web technologies, more specifically Cascading Style Sheets (CSS) used with HTML,” Senior Mimecast Product Marketing Manager Matthew Gardiner writes in a blog post. “While the use of this web technology has made emails more visually appealing and dynamic than its pure text based predecessors, it also introduces an exploitable attack vector for email.”

Because CSS is stored remotely, researchers say that an attacker can change the content of emails through start-up changes made according to the desired ‘style’ of emails that are then taken remotely and presented to users, without recipients, even intelligent users of technology, Know about it..

picture from thehackernews

According to the researchers, Ropemaker’s attacks can be leveraged depending on the creativity of the threat actor. For example, an attacker could replace a URL that originally redirects a legitimate website to a legitimate site by a malicious person who sends a user to a compromised site that is designed to infect. Users with malware or stealing sensitive information, such as their credentials and banking details. Some systems are designed to detect URL redirects that prevent users from opening malicious links, other users may be subject to security risks. Another attack scenario, called “Matrix Exploit” by Mimecast, is more sophisticated than “Switch Exploit”, and therefore more difficult to detect and survive. In an Exploit Matrix attack, the attacker will write a text matrix in an email and then use the CSS remote To selectively control what is displayed, allowing attackers to display whatever they want-including adding malicious URLs into the body of the email. This attack is more difficult. To defend itself because the initial email received by the user does not display many URLs, most software systems will not mark the message as malicious.

“Since URLs are sent after submission, an email gateway like Mimecast can not find, rewrite, or check the destination site is clicked, because at the time of submission there will be no URL detected,” the report read. “To do so would require interpretation of the CSS file, which is beyond the reach of the current email security system.”

Although the security company has not detected Ropemaker’s attacks in the wild, it believes that this does not mean the attack is “not used outside the Mimecast display.” According to the security company, Ropemaker can be used by hackers To bypass the most common security systems and trick smart technology users into interacting with malicious URLs. To protect yourself from such attacks, users are advised to rely on web-based email clients such as Gmail, iCloud and Outlook, which are unaffected by Ropemaker-style CSS exploit, according to Mimecast. However, email clients such as desktop and mobile versions of Apple Mail, Microsoft Outlook, and Mozilla Thunderbird are all vulnerable to Ropemaker attacks.


Please enter your comment!
Please enter your name here