Email with tracking pixels
Email with tracking pixels [Source: Check Point]

A simple email marketing trick is also abused by cyber-criminals, who are employing a technique known as "pixel tracking" to gather information on possible targets or to improve the efficiency of phishing attacks.

Pixel tracking is a decades-old email marketing technique that relies on embedding a one-by-one pixel image, usually transparent or of the same color of the email's background.

When a user receives an email containing a pixel tracker, also known as beacon or web bug, unless the user blocks the loading of images inside his emails, the pixel tracker is loaded from the sender's server, letting the advertiser know a user has opened one of its emails. For example, this is how the code of a pixel tracker looks like:

< img width="1" height="1" class="beacon-o" src="[SERVER_URL][TRACKING_CODE]" style="float:left;margin-left:-1px;position:absolute;" >

The tracking code in the image above can be anything from an email marketing campaign ID to the recipient's email address such as "?ref=victim@company.com"

Pixel trackers gather a trove of sensitive information

Like any server, the advertiser's server can be configured to log these image loading requests, allowing the advertiser to learn various details about each user, such as:

  • If the user is using webmail or a dedicated email client
  • The user's email address
  • The user's browser
  • The user's IP address
  • The user's hostname
  • The user's operating system
  • The user's cookie usage settings
  • The date and time at which the email was opened and the pixel tracker loaded, and others.

But these very same details can also fall in the hand of a hacker if he employs the same trick.

Pixel trackers is a valuable reconnaissance tool

For example, an attacker could add a pixel tracker inside an email, send the email to a company's generic contact email, and ask someone to forward that email to a specific person or department.

Doing this multiple times will allow the attacker to create a map of the company's internal network. Add to this the technical data gathered by the pixel tracker, and that map becomes highly accurate, letting the attacker know who and how to target, depending on his IP, OS, and browser details.

But the attack doesn't have to be this targeted. Pixel trackers could also be used in generic phishing campaigns. Data gathered through pixel trackers could reveal a list of users who are more likely to open this kind of emails.

Leveraging information such as browser and OS type, the attacker could update phishing pages or exploit kits to deliver the proper payload for each victim.

Furthermore, if the employees of a company are all using webmail clients, it's quite possible that the company uses a managed cloud service to handle many of its internal operations. An attacker that can identify that cloud platform could find it very easy to hone future attacks around vulnerabilities in that platform.

Blocking pixel trackers is a must

In the past year, Check Point has issued several alerts regarding the usage of pixel tracking in hacking reconnaissance [1, 2].

"So far, tracking pixels have not been found to be the direct cause of any specific security breaches. Rather, their surveillance capabilities are enablers for subsequent attacks against users and infrastructure," says Donald Meyer, Head of Marketing, Data Center and Cloud Security at Check Point. "To counteract this threat it is advisable to deploy email and anti-phishing security controls as part of your cloud-security arsenal."

In addition to enterprise-grade security, users can also employ a few simple tricks, such as the usage of the UglyEmail and PixelBlock Chrome extensions when reading emails through a web interface.

Both Outlook and Thunderbird automatically block the loading of any images via their default configuration, so using a desktop email client somewhat protects users from this attack.

Nonetheless, marketers have been known to trick users into allowing images to load on a per-email basis. They usually do this by including lots of images inside an email, alluding the email has rich content, such as image galleries. When the user allows images to load, they also load the tracking pixel.