Pixel tracking used for mapping internal networks, detecting the efficiency of phishing and spear-phishing campaigns

Sep 9, 2016 21:30 GMT  ·  By

Pixel tracking, a technique often used by email marketing platforms, has made its way into the arsenal of hacking tricks used by threat actors to probe and map a company's internal network.

The technique of "pixel tracking" refers to embedding a 1x1 pixel at the end of emails hosted on the sender's server. As email recipients open the email or forward it to colleagues, the email client loads the image, making a request to the sender's server, which logs the data and uses it for email marketing analytics.

The technique is very efficient because some email clients, especially Web clients, will automatically load images when opening an email.

Most desktop email applications block this operation, but users will allow the images to load, thinking there's a bigger photo somewhere in the email they'll need to view.

Pixel tracking used for network mapping

Hackers have discovered that they can also implement pixel tracking in emails they send to a target they want to compromise, or with phishing emails if they want to determine their efficiency.

While the latter use scenario makes sense, since writing phishing emails is an art in itself and a lot of fine-tuning is needed, pixel tracking can be more deadly when used to map internal networks.

An attacker could craft an email and send it to the company's generic contact email address, asking its recipient to kindly forward it to the IT department, the financial department, and so on.

As the email reaches the proper person, the hacker records details about the PCs and IPs of each department, creating a map of computers most likely to hold sensitive information.

Pixel tracking is more useful than you think

In a subsequent breach, the hacker would know exactly what to target, and avoid wasting time sitting idly on the compromised network and watching traffic to detect packet flows, network structure, and the appropriate computer holding desired data. The less time an attacker spends in a victim's network, the fewer the chances of getting caught.

"Simple pixel tracking may not cause a direct breach, but should raise suspicion as it may mean that someone is trying to find out more information about your network," Neta Oren, security analyst for Check Point, explains.

"To stay protected, simply turn off automatic image loading in your email preferences. There are also web extensions you can install that will warn you if your pixels are being tracked or will block them all together."

Two such extensions are the UglyEmail and PixelBlock Chrome extensions for Gmail. Outlook and Thunderbird prevent desktop users from automatically opening images via their default configuration.

Below is a phishing email that contains a pixel tracker, received by one of Check Point's customers.

Pixel tracker embedded inside an email
Pixel tracker embedded inside an email

Photo Gallery (2 Images)

Pixel tracking helps attackers map internal networks
Pixel tracker embedded inside an email
Open gallery