Ropemaker Allows Attackers to Change the Content of an Email—After It's Delivered

  • 22 August 2017
  • 4 replies
  • 1031 views

Userlevel 7
Badge +54
22nd August 2017  by Tara Seals
 
A new email exploit, dubbed Ropemaker, allows a malicious actor to edit the content in an email—after it’s been delivered to the recipient and made it through the necessary filters.
 
For instance, an attacker could swap a benign URL with a malicious one in an email already delivered to an inbox, or edit any text in the body of an email whenever they want—all without direct access to that inbox.
 
First uncovered by Mimecast’s research team, a successful exploit could even undermine those that use SMIME or PGP for signing. 
 
Full Article.

4 replies

Userlevel 7
Badge +48
Oh that sounds nasty. 
Userlevel 7
Badge +54
@ wrote:
Oh that sounds nasty. 
That it does Drew, I would call it just plain evil.
Userlevel 7
Badge +54
Martijn Grooten on   Aug 28, 2017
 
Researchers at Mimecast have published details (pdf) of an email exploit they call 'ROPEMAKER' (short for 'Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky'), which allows an email sender with malicious intentions to modify the appearance of an email after it has been delivered.
 
The idea is rather simple: a lot of emails use CSS, and it is not uncommon for part of the stylesheet to be loaded from an external source. This external CSS can then be modified post-delivery to change the email as it appears to the user, for example by hiding one ('good') link and making another ('bad') link visible, or more complex variants of this technique.
 
Although Mimecast says the technique doesn't work on any of the major webmail providers, it does work in Microsoft Outlook, Apple Mail and Mozilla Thunderbird; I was easily able to reproduce the technique in the latter case.
 
Full Article.
Userlevel 7
Badge +48
Again, this thing is NASTY. Ugh. 

Reply