Tracking pixels can be used to compromise enterprise security

Rodolfo Saccani
2 min readJul 23, 2018

--

Tracking pixels, or beacons, are widely used in email advertising, but a more subtle and dangerous use is possible.

Metering a simulated phishing campaign through tracking pixels

Tracking pixels are basically very small images (usually invisible to the human) embedded in the email, whose content is loaded from a server when the email is opened.

When your email client loads this image from the server, the server knows that you opened the email. In email marketing this is used to get an approximate count of the open rate of an advertising campaign (how many recipients opened the email) and to keep track of “active” recipients, recipients who receive emails in the inbox and open them.

There are other more subtle uses of the information that tracking pixels leak. When the email client (or the browser) loads the email, the following information can be collected by the server:

  • Identity of the recipient opening the email (at least the email address the email has been sent to)
  • Time and day
  • IP address
  • Information about the mail client or browser and the operating system (or device)

This information is not valuable only for marketing purposes but it can be very valuable also for malicious uses, like targeted phishing attacks.

Let’s make an example: by sending an email to your company’s CEO and getting the email beacon at 8:12 AM from the IP address of a hotel in eastern Europe, the attacker knows that the CEO is currently on a business trip in this place.

At this point a Business Email Compromise (BEC, or Whaling) attack can be performed by sending an email back to the office, impersonating the CEO and requesting an urgent money transfer or a classified internal document related to the trip. The knowledge of these details can make the phishing message quite credible and effective.

With tracking pixels the attacker can gather information about movements of executives, habits of employees, about who is on holiday and who isn’t and, with some additional intelligence, can infer company strategies and secrets: a meeting at a lawyers office or with a specific partner can reveal the progress status of a secret negotiation or deal.

Many email clients don’t open images by default but the user can be easily tricked into displaying images. The best defense is to disarm such beacons before the email is delivered, which is what Libra Esva does.

Originally published at https://www.libraesva.com on July 23, 2018.

--

--

Rodolfo Saccani
Rodolfo Saccani

Written by Rodolfo Saccani

Rodolfo Saccani is CTO and head of R&D in Libraesva, an email security vendor. Rodolfo Saccani is also free flight safety officer in FIVL.

No responses yet