Let's talk about email tracking pixels for a minute and how sales/marketing (as well as real threat actor's) can use them to evaluate the success of an email marketing (or phishing) campaign...or for information gathering before sending a follow-up payload.
#DFIR #APT32
-
-
-
Let's start with the basics of tracking pixels. I'm not attending
@RSAConference - but I get marketing emails like this one. If you use the Outlook client - have you ever noticed the "to help protect your privacy; Outlook prevented automatic download of some pictures."?pic.twitter.com/YPGuW9EmZa
Prikaži ovu nit -
The email has a number of image attachments - one of which is called a tracking pixel. Here's what it looks like when the images haven't been downloaded.pic.twitter.com/9BnaPrhC4c
Prikaži ovu nit -
If you take a look at the raw email message you'll notice multiple URLs including ones from well known social media companies and a lesser known one called yeswarepic.twitter.com/3r39BsThEf
Prikaži ovu nit -
Let's take a look at spacer.gif. According to Chrome developer tools - it's a 1 pixel by 1 pixel, white image and also saves a cookie called "t" that expires in 10 years.pic.twitter.com/5Tau7xZS7b
Prikaži ovu nit -
In my limited testing I've found that each mail client chooses to handle these tracking pixels differently. Outlook thick client (blocked by default) Office365 in a web browser (pixel autoloaded) iPhone mail client (pixel autoloaded) Android mail client (pixel autoloaded)pic.twitter.com/yRv1LjcLX2
Prikaži ovu nit -
If you open an email in a mail client that autoloads a tracking pixel - you divulge your IP address, OS version and mail client version and the date/time of each time you opened the email.pic.twitter.com/HVXiKWQB5o
Prikaži ovu nit -
Moral of the story is - opening an email in certain mail clients can leak information about your system b/c your mail client autoloads a tracking pixel. And although it might be a company hosting a hot
@RSAConference party - it could also be someone less "friendly"#DFIR#APT32pic.twitter.com/sjFhhQOJTK
Prikaži ovu nit -
Even scammers leverage tracking pixels to gauge the success of their campaigns. I could really use a silent investor - you think I should reach out to Mr. Mohammed?pic.twitter.com/BmmHYoQXpq
Prikaži ovu nit -
If you want to disable auto-image loading in Gmail, click the "Gear" icon, Select "Settings" and under the Images section select "Ask before displaying external images", and click "Save changes".pic.twitter.com/xCHyHdJeV0
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.