Cyber criminals can turn a harmless email into a malicious one even after it has been received by victims thanks to the Ropemaker attack.
The Ropemaker attack (Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky) is a technique, found by the security researcher Francisco Ribeiro, which is capable of turning non-dangerous emails into malicious ones after they have been delivered to the victim’s inbox.
After sending an email to the victim, hackers use the Ropemaker attack to remotely modify its content. For instance, the hacker is capable of changing an embedded URL bypassing spam and security filters.
The Ropemaker attack abuses Cascading Style Sheets (CSS) and Hypertext Markup Language (HTML) which are fundamental parts of the way information is presented on the Internet.
“So what is ROPEMAKER?
The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email. ” the Mimecast’s Senior Product Marketing Manager Matthew Gardiner, said.
The ROPEMAKER attack leveraged on the fact that CSS is stored remotely, so an attacker can change the content of an email through remotely changes to the desired ‘CSS ‘ used for the content of the email that is presented to the user.
The Ropemaker attack could be exploited in many different ways. For example, cyber criminals could replace an URL which points to a legitimate website with a malicious one that redirects the user to a phishing site or a compromised website.
Mimecast named the other type of attack “Matrix Exploit” – it sees hackers writing a matrix of text in an email and use the remote CSS to selectively control what is displayed after that. By using this method, the criminal can display any text in the email content, as well as some malicious URLs.
The “Matrix Exploit” type of attack is very hard to detect because no URL is displayed in the email which the victim has received.
“Since the URL is rendered post-delivery, an email gateway solution such as Mimecast cannot find, rewrite, or inspect the destination site on-click, because at the time of delivery there would be no URL to detect,” the report on the Ropemaker attack states. “To do so would require the interpretation of CSS files, which is beyond the scope of current email security systems.”
According to security researchers from Mimecast, web-based email clients like Gmail, Outlook, and iCloud aren’t affected by Ropemaker-style CSS exploits, while email clients like the desktop and mobile version of Microsoft Outlook, Mozilla Thunderbird, and Apple Mail are all vulnerable.