Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    The RopeMaker Exploit Can CHANGE An Already Delivered Email

    shutterstock_274630643.jpgOur friends at Mimecast are warning against something scary! This is a sobering example of why scanners and filters will always be behind in the security arms race...

    They wrote: "Most people live under the assumption that email is immutable once delivered, like a physical letter.  A new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing." The attack works by remotely altering cascading style sheets (CSS) in HTML emails. 

    Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.

    "Described in more detail in a recently published security advisory, Mimecast has been able to add a defense against this exploit for our customers and also provide security recommendations that can be considered by non-customers to safeguard their email from this email exploit.

    So what is ROPEMAKER?

    The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML.  While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email

    Clearly, giving attackers remote control over any aspect of ones’ applications or infrastructure is a bad thing.  As is described in more depth in the ROPEMAKER Security Advisory, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users.  ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.

    Changing this:

    Ropemaker Exploit Screen One - Courtesy Mimecast

     

    Into this, post-delivery (without having direct access to the user’s desktop):

    Ropemaker Exploit Screen Two - Courtesy Mimecast

     

    To date, Mimecast has not seen ROPEMAKER exploited in the wild.  We have, however, shown it to work on most popular email clients and online email services.  Given that Mimecast currently serves more than 27K organizations and relays billions of emails monthly, if these types of exploits were being widely used it is very likely that Mimecast would see them.  However, this is no guarantee that cybercriminals aren’t currently taking advantage of ROPEMAKER in very targeted attacks.

    For details on email clients that we tested that are and are not exploitable by ROPEMAKER and the specifics on a security setting recommended by Apple for Apple Mail, please see the ROPEMAKER Security Advisory.

    Is ROPEMAKER a software vulnerability, a form of potential application abuse/exploit, or a fundamental design flaw resulting from the intersection of Web technologies and email?  Does it really matter which it is? For sure attackers don’t care why a system can be exploited, only that it can be. If you agree that the potential of an email being changeable post-delivery under the control of a malicious actor increases the probability of a successful email-borne attack, the issue simplifies itself.  Experience tells us that cybercriminals are always looking for the next email attack technique to use.  As an industry let’s work together to reduce the likelihood that the ROPEMAKER style of exploits gains any traction with cybercriminals!"  Cross posted with grateful acknowledgement to Mimecast

    What To Do About It
     
    Turn off HTML in email? Not a chance. However, SANS commented "It applies only to desktop email clients; it fails on browser-based email clients as they strip out header tags required by this exploit." To some degree that is contrary to what Mimecast claimed, who said that they saw this working on online mail services. However, SANS suggested that a network filter could be added blocking remote CSS download by email clients." 
     
    The exploit doesn’t work on browser-based emails such as Gmail, Outlook Web Access, or iCloud, but Mimecast warns that both the desktop and mobile versions of Microsoft Outlook, the desktop and mobile versions of Apple Mail, and Mozilla’s Thunderbird could fall victim to ROPEMAKER. 
     

    Apple Mail has a user setting that would allow email users to block automatic execution of a remote resource—like a remotely hosted CSS file for instance, he says. But few are likely using it.

    The problem is that Micecast showed in great detail how this exploit works, so you can expect the bad guys to jump on this immediately. Mimecast has shared its research privately with all of the primary email client vendors, but so far not one of them has acknowledged ROPEMAKER as a vulnerability or exploit.

    The longer-term fix would involve a revision of internet standards and more intelligent security controls at the network and the endpoint, according to Mimecast.

    Read more in:
    -     www.darkreading.com: ROPEMAKER Attack Turns Benign Emails Hostile Post-Delivery
    - threatpost.com: Ropemaker Exploit Allows for Changing of Email Post-Delivery
    - www.theregister.co.uk: Did ROPEMAKER just unravel email security? Nah, it's likely a feature
    - www.scmagazineuk.com: Money for old rope? Ropemaker changes your emails AFTER delivery
    - www.eweek.com: Ropemaker Email Exploit Exposes Desktop Clients to Security Risks
    - www.bleepingcomputer.com: ROPEMAKER Lets Attackers Change Your Emails After Delivery

    Exploits like this are an excellent argument for new-school security awareness training, which makes the end-user more aware of potential red flags in email and makes them Stop, Look, and Think before they click. 

    For instance, KnowBe4's integrated training and phishing platform allows you to send fully simulated html phishing attacks so you can see which users answer the emails and/or click on links in them or open infected attachments. 

    See it for yourself and get a live, one-on-one demo.

    Request A Demo

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://info.knowbe4.com/kmsat-request-a-demo

     

     

    Return To KnowBe4 Security Blog

    Topics: CEO Fraud

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews