Pierluigi Paganini
August 24, 2017
“So what is ROPEMAKER?
The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email. ” explained Mimecast’s Senior Product Marketing Manager Matthew Gardiner.
The ROPEMAKER attack leveraged on the fact that CSS is stored remotely, so an attacker can change the content of an email through remotely changes to the desired ‘CSS ‘ used for the content of the email that is presented to the user.
The Ropemaker attack could be exploited in various ways, for instance, attackers could replace an URL that points to a legitimate website by a malicious one that redirects the user to a compromised site or to a phishing website.
Another attack scenario was dubbed by Mimecast “Matrix Exploit,” it sees attackers writing a matrix of text in an email and then use the remote CSS to selectively control what is displayed. With this trick, the attacker can display any text in the content of the email, including malicious URLs.
This form of ROPEMAKER attack is very harder to detect because the email received by the victim does not display any URL.
“Since the URL is rendered post-delivery, an email gateway solution such as Mimecast cannot find, rewrite, or inspect the destination site on-click, because at the time of delivery there would be no URL to detect,” reads the report on the ROPEMAKER attack. “To do so would require the interpretation of CSS files, which is beyond the scope of current email security systems.”
Experts don’t exclude the attack is “being used somewhere outside the view of Mimecast.”
The Mimecast experts explained that web-based email clients like Gmail, iCloud and Outlook aren’t affected by Ropemaker-style CSS exploits, while email clients like the desktop and mobile version of Apple Mail, Microsoft Outlook, and Mozilla Thunderbird are all vulnerable to the Ropemaker attack.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – ROPEMAKER attack, hacking)
[adrotate banner=”13″]
