How an Attacker Can Use ROPEMAKER Technique to Exploit Your Email

Email Exploit Main

How an Attacker Can Use ROPEMAKER Technique to Exploit Your Email

Do you think that the contents of an e-mail can not be changed after delivery? If you are interested in the issue of information security, you should learn about the attack method, which researchers from Mimecast called ROPEMAKER.

The acronym ROPEMAKER stands for “Remotely Originated Post-delivery Email
Manipulation Attacks Keeping Email Risky”. 

  • In fact, ROPEMAKER is a type of hacker attack via email, discovered by Francisco Ribeiro (@blackthorne) from Mimecast. This exploit can allow an attacker to remotely modify the contents of an email message at any time after delivery. Is ROPEMAKER a vulnerability that needs to be fixed to protect common users? We hope that this article will help answer this question.
  • By origin, ROPEMAKER lies at the intersection of e-mail and web technologies, such as HTML and CSS. Although the use of these web technologies made the email visually more attractive and dynamic compared to its predecessor, based solely on the text, it also led to the emergence of a new email attack vector. People usually expect that the content of web pages will be dynamic and can change instantly, but do not expect it from letters. Thus, ROPEMAKER is another potential attack vector that can be used by attackers to spread, for example, extortion viruses.

Fundamentally ROPEMAKER exists because two resources that are located remotely from each other but connected through a network can interact so that one of them will affect the execution of the other. When using Web content, deleted data can be retrieved without direct management by the local user. With the appropriate security settings, this happens automatically, and in most cases, is the expected and desired user functionality. An excellent example is the use of remote style sheets (CSS).

CSS is the cornerstone technology used by most websites to create visually appealing web pages. ROPEMAKER uses the fact that CSS allows you to separate the appearance of the appearance and the content itself. It is important to note that with certain security settings, many mail clients can use the CSS file locally or remotely over the network. And, of course, the key to this exploit in terms of security is that some of the system elements used are in an unreliable zone. And instead of controlling only the appearance of email, deleted CSS can actually change the contents of the email.

How can attackers use ROPEMAKER in cyber attacks?

Imagine that a cyber criminal with malicious intent sends to his alleged victim an HTML-based email with CSS located on a remote server. ROPEMAKER will work as long as the e-mail client automatically connects to the remote server to get the desired “style” for writing.

For example, an attacker could replace the mapping of a “good” URL with a “bad” URL by modifying the remote CSS code. Also, he can turn the text into a “bad” URL or change the content of the delivered letter, which will affect the meaning of the transaction, by replacing “yes” with “no” or “1 dollar” with “1 million dollars”.

Switch Exploit

In the first example, which researchers call “Switch“, a good URL in the email is later “switched” by the attacker in the same message to a bad URL. Everything looks good in Figure 1. But after editing the deleted CSS, the letter gets a new “style” (Figure 2).

Email Exploit 1
Figure 1
Email Exploit 2
Figure 2
Email Exploit 3
Remote CSS that switches the style for displaying the “bad” URL in this example.
Email Exploit 4
HTML-letter with a call to remote CSS.

Both URLs are sent in the source email and, thus, a solution to the problem in checking the “Good” and “Bad” URLs before the user is allowed to go to them. Organizations that do not use malicious URL blocking by security systems will be exposed to similar threats.

Matrix Exploit

Matrix Exploit is more sophisticated. Inside the email contains the matrix of all ASCII characters for each letter. Using CSS display rules, an attacker can selectively change the visibility of each letter and, thus, recreate the desired text in the letter at any time.

For example, an attack can start with an empty letter, as shown in Figure 5. And relatively simple manipulations in a remote CSS file can change the contents. As a result, the user will see what is in Figure 6.

Email Exploit 5
Figure 5
Email Exploit 6
Figure 6
  • Matrix Exploit is more dangerous because the message itself is just text without any URLs or other content that can be detected on delivery (although a relatively large number of HTML tags and message size can serve as a signal). However, once the remote CSS is applied to selectively display text and URLs, the email client will display a clickable link (for example, Apple Mail), or at least contain text with a URL. Thus, a trusting user can easily copy and use it in the browser.
  • Microsoft Outlook, for example, can be configured to warn before automatically loading external resources. But how many users simply reject the warning or disable the setting? From the users’ point of view, if part of the message looks good, why not get the rest of the message?

Since the URL is displayed after delivery, the email security gateway can not locate and check the malicious URL, because it is not available at the time of delivery. This requires the interpretation of CSS files, and this goes beyond the functionality of existing e-mail security systems.

Email Exploit 7
How does the display text change when using Matrix Exploit.
  • It is important to note that the code block as in the figure above represents the ability to display only one position in the matrix of displayed symbols and, therefore, it must be repeated for all positions in the supposed letter. Thus, a relatively large letter will be required to display a relatively short message.

Disclosure of ROPEMAKER

At the end of 2016, Mimecast notified the main suppliers of email clients, in particular, Apple and Microsoft.

Most recently, Mimecast received a response from Apple:

The solution is provided at the user level and thus is under its control, which adds risks. Do users really understand the potential threats to information security? In addition, iOS does not have the same options in the settings. The only response from Microsoft described ROPEMAKER as “not a vulnerability”.

And what is your opinion?