A simple exploit gives attackers the ability to modify the contents of an email after sending
- Transfer
Do you think the contents of the email cannot be changed after delivery? If you are interested in information security, you should learn about the attack method that researchers at Mimecast called ROPEMAKER.
The acronym ROPEMAKER stands for "Remotely Originated Post-delivery Email
Manipulation Attacks Keeping Email Risky." In fact, ROPEMAKER is a type of email hacker discovered by Francisco Ribeiro (@blackthorne) from Mimecast. This exploit can give an attacker the ability to remotely modify the contents of an email message at any time after delivery. Is ROPEMAKER a vulnerability that needs to be fixed to protect ordinary users? We hope this article helps answer this question.
By origin, ROPEMAKER lies at the intersection of email and web technologies such as HTML and CSS. Although the use of these web technologies made email visually more attractive and dynamic compared to its predecessor, which was based solely on text, it also led to the emergence of a new attack vector for email. People usually expect web page content to be dynamic and can change instantly, but they don't expect it from emails. Thus, ROPEMAKER is another potential attack vector that can be used by cybercriminals to spread, for example, ransomware viruses.
Fundamentally, ROPEMAKER exists because two resources that are located remotely from each other but connected through a network can interact in such a way that one of them affects the execution of the other. When using web content, remote data can be retrieved without direct local user control. Subject to appropriate security settings, this happens automatically, and in most cases, is the expected and desired functionality by the user. A great example is the use of remote style sheets (CSS).
CSS is the cornerstone technology used by most websites to create visually appealing web pages. ROPEMAKER takes advantage of the fact that CSS allows you to separate the appearance and content. It is important to note that with certain security settings, many email clients can use the CSS file locally or remotely over the network. And, of course, the key to this exploit from a security point of view is that part of the system elements used are in an unreliable area. And instead of controlling only the look of the email, remote CSS can actually alter the content of the email.
How can attackers use ROPEMAKER in cyber attacks?
Imagine that a cyber criminal is maliciously sending an HTML-based email with CSS to his alleged victim located on a remote server. ROPEMAKER will work as long as the email client automatically connects to the remote server to obtain the desired “style” for writing.
For example, an attacker could replace the display of a “good” URL with a “bad” URL by changing the remote CSS. It can also turn the text into a “bad” URL or change the content of the delivered letter, which will affect the meaning of the transaction by replacing “yes” with “no” or “1 dollar” with “1 million dollars”.
Switch Exploit
In the first example, which researchers call “Switch,” the good URL in the email later is “switched” by the attacker in the same message to the bad URL. Everything looks good in Figure 1. But by editing the remote CSS, the letter receives a new “style” (Figure 2).
Figure 1
Figure 2
Remote CSS that switches the style to display the “bad” URL in this example.
HTML email invoking remote CSS.
Both URLs are sent in the original email and thus the solution is to check the “Good” and “Bad” URLs before the user is allowed to click on them. Organizations that do not use malicious URL blocking by security systems will be exposed to such threats.
Matrix Exploit
Matrix Exploit is more sophisticated. Inside the email contains a matrix of all ASCII characters for each letter. Using CSS display rules, an attacker can selectively change the visibility of each letter and, thus, recreate the desired text in the letter at any time. For example, an attack may begin by displaying a blank message, as shown in Figure 5. And with relatively simple manipulations in the remote CSS file, you can change the contents. As a result, the user will see what is in Figure 6.
Figure 5
Figure 6
Matrix Exploit is more dangerous because the letter itself in this case is just text without any URLs or other content that can be detected upon delivery (although a relatively large number of HTML tags and message size can serve as a signal). However, as soon as the remote CSS is used to selectively display text and URLs, the email client will display a clickable link (for example, Apple Mail), or at least it will contain text with a URL. Thus, a gullible user can easily copy and use it in a browser.
Microsoft Outlookfor example, you can configure it to alert you before automatically loading external resources. But how many users just reject the warning or disable the setting? From a users perspective, if part of the email looks good, why not get the rest of the message?
Since the URL is displayed after delivery, the email security gateway cannot find and check the malicious url, because it is not present at the time of delivery. This will require interpretation of CSS files, and this goes beyond the functionality of existing email security systems.
How does the change in the displayed text when using Matrix Exploit.
It is important to note that the code block as in the figure above represents the ability to display only one position in the matrix of displayed characters and, therefore, it must be repeated for all positions in the intended letter. Thus, a relatively large letter would be required to display a relatively short message.
ROPEMAKER Disclosure
At the end of 2016, Mimecast notified the main suppliers of email clients, in particular Apple and Microsoft.
More recently, Mimecast received a response from Apple:
users can turn off loading remote content by going to the menu Mail> Preferences> Viewing and unchecking “Load remote content in messages”.The solution is provided at the user level and, therefore, is under his control, which adds risks. Do users really understand the potential threats to information security? In addition, iOS does not have the same feature in the settings. The only answer from Microsoft described ROPEMAKER as "not a vulnerability." What is your opinion?