Earlier today researchers uncovered a new type of cyber threat that enables cyber criminals to remotely change the content of emails anytime post-delivery. Dubbed ROPEMAKER, the hackers can use this attack to avoid the target organisation’s security controls to deliver malicious emails. For example, a hacker could swap a harmless, non-dangerous URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox. Brian Robison, Senior Director of Security Technology at Cylance commented below.
Brian Robison, Senior Director of Security Technology at Cylance:
“This advisory simply highlights the fact that if you receive an email with a URL embedded into that HTML email, an attacker COULD change the actual destination of that URL to be something not intended. Modern email applications render HTML as if it were a webpage using CSS to make the email “look” nice. This is currently standard practice within every legitimate marketing organisation in the world.
“Phishing emails have been taking advantage of this for some time, including linking to the original source to make it look more legit. Example: You get an email from your bank; the email pulls the headers and logos directly from the bank’s website; then the button is actually linked to different site entirely – like badbank dot com, or something where you are tricked into clicking on that link that and exposing your credentials on the “fake” banking site.
“Having pre-execution anti-malware technology in place on endpoints would prevent any malware that was downloaded as part of the phishing attack from executing and doing any damage.”