Super-phishing: masterly fraudulent e-mail security in e-mail programs
So far, most users have been convinced that the e-mail message sent is unchanged - the recipient will receive the same content as was sent by the recipient. Today, everybody should take a correction for secure communication protocols, because even standards such as SMIME and PGP are not able to protect messages from replacements presented by employees of the Mimecast company.
The developed method of ROPEMAKER (the acronym of Remotely Originated Post-delivery Email Attachment) can change the content of the message, e.g. link hyperlink:
ROPEMAKER gives you the opportunity to manipulate not only links. It is possible to change the entire content of the text:
How is this possible? By manipulating what you see in the layer you can not see. Specifically, thanks to loading remote HTML and CSS content:
How to use ROPEMAKER in an attack?
In this method, you do not need direct access to the mailbox, nor did you use the MiTM attack (although in the MiTM attack you can use ROPEMAKER). Successful modification of e-mail content is possible due to the loading of remote CSS code - visually more attractive mail containing dynamic content and hyperlinks increases the risk of a successful phishing attack. However, in this case, phishing is an undervaluing term for deceiving an employee or user, because despite the electronic signature or encrypting the message by the PGP protocol, the recipient receives adulterated content.
The presented fraud method gives the criminals a Gatling rifle, while previously they had only one-shot pistols.
ROPEMAKER can be used in the same phishing or spear-phishing attacks that we have known so far, adding the presented method of manipulating e-mail content. As a result, we get an explosive mix of social engineering. The worst part is that ROPEMARKER is not an exploit, it is not a vulnerability or a security bug. It's just masterful cheating, or actually the proper use of email clients' functions, which warn the user against loading remote content.
ROPEMARKER has been tested on clients: Outlook, Thunderbird and Apple Mail. Its use only limits the creativity of cybercriminals. Although Mimecast has not recorded this method in real attacks (and it has tens of thousands of business clients under its own, who receive billions of e-mails), just like the EternalBlue exploits from the NSA - we may soon witness the observation of ROPEMARKER in phishing attacks on a similar scale as WannaCry ransomware . What's more, the researchers suggest that attackers to display remote content can experiment with scalable vector graphics (SVG) and with
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.