Defending Against Spear Phishing, RAT Deployment and Email Tracking

Pierluigi Paganini January 26, 2015

Gary Miliefsky explain how Spear Phishing works as well as Email Tracking that allow the sender to collect very useful data on the recipient.

Defending Against Spear Phishing, RAT Deployment and Email Tracking

In my 2015:Year of the RAT Threat Report (see: http://www.snoopwall.com/reports/),  I described how I felt Sony Pictures Entertainment (SPE) was attacked by the Guardians of Peace aka #GOP.  In this supplement, I would like to cover how Spear Phishing works as well as Email Tracking, even commercial tools that are freely available for trials or limited email sending, which allow the sender to collect very useful data on the recipient including that which hackers typically use to exploit a common vulnerability and exposure (CVE, see: http://cve.mitre.org of which I serve on the Board and its sister search engine site http://nvd.nist.gov, funded by the US Department of Homeland Security to allow you, for free, to track and find any vulnerabilities in your network equipment, computer, operating system and software that might be used to exploit you).

Finding and Exploiting Vulnerabilities

It works like this – first you need to find email servers with vulnerabilities (CVEs) and then exploit them to eavesdrop upon and track others emails.  This will then allow you to build up a contact list and what kind of messages a person sends, receives and opens, thus allowing you to spoof a trusted party and attach a remote access Trojan (RAT).  I’m not telling you this to recommend you commit crime – in fact, I’m 100% against you doing so.  However, without understanding why and how you might become a victim of a Spear Phishing attack with an embedded RAT attachment, or even exploitation of vulnerabilities in your email client or web browser, how can you expect to defend yourself?  Just watch http://map.ipviking.com and you’ll see loads of attacks against EMAIL SERVERS in the USA.  Why?  Because the first step in reconnaissance (RECON) for a spear phishing attack, is to break into a mail server, or find a recipient you can victimize so that you can later spoof an email to their important friend, boss or business associate that is your ultimate target.

What is the difference between Spear Phishing and Email Tracking? 

Typically Spear Phishing are very targeted attacks going after one individual.  Usually, email tracking is used by marketeers to make sure you opened an email they sent you and to collect additional information about you.  Lately, due to the proliferation of free email tracking offerings, anyone from a debt collector to your local dentist or attorney or even a jealous spouse might use email tracking services to ‘check up on you’ which includes GEOLOCATION technology, now.

Email tracking generally will use a hidden cookie and a web bug (also known as a web beacon) to track the email.  Spear Phishing will usually attach a RAT to the email hoping you will trust the spoofed sender and open the attachment, then causing a much more painful and deeper infection that may go unnoticed until it’s too late, as in the case of Sony Pictures Entertainment.

Email tracking will tell the person tracking the email when an email was received, opened, and forwarded.  It can tell when attachments or hyperlinks were opened and clicked.  It can determine how long someone was reading the email. It can also collect information about the geolocation of where it was opened.   In addition they can find out about your computer operating system and the email client or web browser you are using to read the email.

Email tracking is used by individuals, email marketers, spammers, hackers, cyber criminals and phishers, to verify that emails are actually read by recipients, that email addresses are valid, and that the content of emails has made it past spam filters. When used maliciously, it can be used to collect confidential information about businesses and individuals and to create more effective phishing schemes.  Most likely email tracking was employed with a spear phishing attack on Sony Pictures to learn what kind of environment they had inside their network and then to attack them with a Remote Access Trojan (RAT) through email.

There are dozens of email tracking companies and software to choose from with leading companies including icontact, constant contact, didtheyreadit, getresponse, activecampaign, interspire, getnotify, mxhero, litmus to yesware and so many more.  Now anyone can afford email tracking because most sites off either a limited free account or free trial.  On the limited free accounts you can only send so many tracking emails each day but they are completely free.  Others offer a trial period such as 7 day free trial.

Is Email Tracking Creepware?

Email tracking can be considered #CREEPWARE because if you don’t inform the recipient of your privacy policy, they may not know they are a victim of being eavesdropped upon.  On the other hand for business purposes the argument is that you don’t have to send a followup email and annoy someone to see if they opened your email or read it. The business argument is that you will learn how to better communicate with your customers.

What other ways are we being tracked?

Email tracking is only a part of the tracking process.  Most folks have smartphones with apps that track them in even creepier ways every day.  Companies that want to track you will use your email and your apps on smartphones and tablets plus search engines and social media sites like facebook and others will continue to expand their invasive eavesdropping on our behavior.  The fact that email tracking is free and easy for anyone to try out and use, means it will probably continue to grow as another tracking arrow in the marketing  or creepware quiver.

Beyond normal marketers, spammers, hackers, cyber criminals and phishers, some folks including spouses might use this method to make sure their spouse is where they say they are and some companies, including HP used it to make sure Board members weren’t leaking information to the press or wall street analysts.  Even investigators, attorneys, skip tracers for debtor or fugitive tracking and collection companies are using this tool to track people down.

Most people don’t realize how our emails are being tracked.  They simply open their emails, read them, ignore them or delete them and move on to the next email.  Most people don’t have antispam technology enabled and many of these emails get passed spam and antivirus filters.  I think it’s creepy for folks to use email tracking, even if it passes legal muster, without at the bottom of each of these emails, informing the recipient and offering them an opt out option.  Privacy is good for business and job seekers should also show they respect the privacy of the recipient, especially someone who might consider hiring them.  This is alarming if a predator or stalker or spouse or x-spouse uses email to track you for their own creepy reason.

While Spear Phishing is Illegal, is Email Tracking Legal?

It is legal to track email.  There are rules about spam and there are rules about bugging and eavesdropping on conversations but not about email.  It’s always best to disclose that you’re using tracking tools to make sure the email gets to the right recipient and so that you won’t have to bother them to see if they received and opened it.

However, here’s where it gets real creepy.  Imagine a stalker was trying to find out where you lived.  If you opened their email, they could start to collect geolocation information on you as well as the ‘fingerprint’ of your computer and/or email client.  This is the first part of a smarter attack known as spear phishing – they might use this to then find the right malware to attack your operating system or email or web client to install a RAT – a remote access Trojan, which is even more creepy software to watch you on your webcam and listen to you on your microphone.

If you want to legally and legitimately use email tracking for marketing or other purposes, I recommend folks put together a very positive and honest privacy policy or privacy statement in the bottom of these tracking emails so the recipients don’t become victims.

How can you tell it’s a Spear Phishing or Email Tracking Attack?

If it’s an email that doesn’t look like it contains a picture, usually the tracking cookie is an invisible picture – so by turning off ‘display images’ automatically, is the first hint.  If you simply use TEXT only mode to read your emails instead of HTML, you’ll know right away.  If there’s an attachment you were not expecting or if it seems ‘fishy’ it’s probably a Spear Phishing attack.  If you find a tiny white graphic that’s one pixel in size, it’s usually an Email Tracking attack.  However, Spear Phishing attacks may also use this technology but they haven’t in the past because it tips of the victim.

Defending Against Both Spear Phishing and Email Tracking Attacks

What is the simplest thing you can do to defend against this kind of attack?  Change your email client settings to only display TEXT instead of HTML emails.  When the email arrives, it might not look as pretty but you can still read it.  If the entire email is a picture you know it’s spam or email tracking.  You won’t enjoy missing the pretty colors, HTML hyperlinks, graphics and attachments but simple TEXT ONLY email is the answer.  You simply cannot be victimized if you only read the text portion of the email message.  That means an email client or special plug-in that renders the email as text only.  Good news on major email clients such as Microsoft ® Outlook – all you have to do is change your security settings and you can make sure all hyperlinks are turned into text, all emails are read as text only and attachments are rejected.

This may start out making your day difficult, where you would then ask folks to send you attachments in a different fashion, but then you know it’s really from them.  For example, unless and until DropBox, Filesanywhere, Box or similar services get hacked (which does happen from time to time…so be aware and stay vigilant), you can tell all your friends, coworkers and business associates you only accept attachments in a DropBox type service.  I wouldn’t recommend using Apple iCloud, Amazon Cloud, Microsoft Cloud Drive or Google Cloud Drive as they are targeted by hackers daily.  Look for a less known service that offers encryption and stronger guarantees. Then, when someone is going to send you a file, tell them – don’t use email, send it to this link (you provide them a way into your DropBox) and then before opening any of these attachments, you download them and then run them through your favorite antivirus scanner.  If you are serious about security, run it through one of these:

  • http://www.virustotal.com which has over 40 different antivirus scanners that it runs on your file upload to determine if it’s malware.
  • https://www.metascan-online.com/ which has currently 42 different antivirus scanners and like virustotal will accept file uploads that are over 100mb if need be to be scanned for detection of malware.
  • http://virusscan.jotti.org/en which has been around for a while only accepts 25mb file size uploads and quickly runs them through about 22 antivirus scanners to check for malware.

It’s time we treat privacy respectfully.  It’s good for people and for businesses to be respectful to others right to privacy.  If you want to track an email tell the recipients you are using email tracking technology.  Sure, it can be a 4 point font at the bottom of the email but at least you’re being honest about it.  And for folks worried about their privacy, only receive emails in a TEXT viewing mode and you’ll be safe.  Consider this one more lesson we’ve learned from the Sony Pictures Entertainment breach.

Getting More Proactive and One Step Ahead of the Next Threat

As I said recently on BNN in Canada, see: http://www.bnn.ca/News/2015/1/24/How-businesses-can-neutralize-cyber-security-threats-in-2015.aspx entitled Go Phish: The Rise of Hacking – Part Three, the biggest threats we face this year are:

  • Spear phishing (targeted email) attacks
  • Remote Access Trojans (RATs) which are used to control a computer in another location
  • Mobile Devices loaded with eavesdropping malware in the form of trusted and free apps

It’s time consumers, small offices – home offices (SOHOs) and small to medium sized businesses (SMBs) as well as large enterprises get more proactive and assume you already have vulnerabilities and malware. Start with:

  • Training employees better
  • Hardening systems
  • Detecting and removing RATs
  • Deploying full disk encryption and real-time backups
  • Defending against phishing attacks
  • Managing the BYOD (Bring Your Own Device) dilemma

If you’re an SMB or Enterprise, you should take the following steps right away before you become the next victim:

  • Educate employees against social engineering and phishing attacks.
  • Make sure you encrypt computers, hard drives, databases and all the data.
  • Make sure you enforce better password management policies.
  • Run and test frequent backups and disaster recovery plans.
  • Create and manage corporate security policies around the standards such as ISO 27001 or COBIT.

About The Author

Gary Miliefsky 2015 Year of the RAT Threat Report Supplement spear phishing

Gary Miliefsky is the CEO of SnoopWall and inventor of the company’s new Counterveillance technology. He has been extremely active in the INFOSEC arena, most recently as the Editor of Cyber Defense Magazine and the cover story author and regular contributor to Hakin9 Magazine. He also founded NetClarity, Inc., an internal intrusion defense company, based on a patented technology he invented. He is a member of ISC2.org, CISSP® and Advisory Board of the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. He also advised the National Infrastructure Advisory Council (NIAC) which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace. Miliefsky is a Founding Member of the US Department of Homeland Security (http://www.DHS.gov), serves on the advisory board of MITRE on the CVE Program (http://CVE.mitre.org) and is a founding Board member of the National Information Security Group (http://www.NAISG.org). Email him at: [email protected]



you might also like

leave a comment