Bringing the dynamic capabilities of the web to email sounds great until you learn that your emails can be changed after they have been delivered, corrupting your records and introducing malicious urls using the Ropemaker vulnerability which bypasses common security controls and can also fool sophisticated users.
ROPEMAKER is an acronym for Remotely Originated Postdelivery Email Manipulation Attacks Keeping Email Risky. A report by Mimecast details how the attack works without needing direct access to your PC or your email application to achieve remote control ability, including making emails changeable post-delivery under the control of a malicious actor which is particularly concerning given that email-borne attacks are the most common entry point for attackers.
Discovered by Mimecast ‘s Francisco Ribeiro (@blackthorne), Ropemaker enables an attacker to remotely change the (perceived) content of an email, anytime, postdelivery. Whether it is a vulnerability which needs to be patched – or misuse of an application which needs to be defended against is up for discussion
Mimecast has issued a paper which explains the origin of Ropemaker, which is described as laying at the intersection of email and Web technologies, such as HTML, Cascading Style Sheets (CSS), and hypertext. It explains: “While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text based predecessor, this has also introduced an easily exploitable attack vector for email. People commonly expect the content of Web pages to be dynamic - able to change moment-to-moment - but do not expect their email to do so as well. Email in many cases is treated more like a snail mail letter – once sent never changing - whereas Web pages are understood to be more like TV stations with a continuously changing flow of visual, audio, and text content. The techniques behind Ropemaker are thus another potential email-based attack vector that we expect attackers to leverage as they continually evolve from one technique to the next.”
The principle is that Web technologies interoperate over a network so resources housed remotely but linked by a network (including the internet can interoperate, one affecting the execution of the other. So web content/resources can be fetched and reference without the direct control of the local user – which is usually desirable, such as remote Cascading Style Sheets (CSS). CSS enables the separation of presentation and content, and if the if presenting application supports it, a CSS file can be accessed remotely across the network (eg the Internet). So part of the system is controlled in an untrusted zone, and instead of controlling just the style of the email, the remote CSS can actually control the content of the email.
As an example of malicious use, an attacker could switch the display of an email from using a “good” URL to presenting an “evil” URL, or could change the “content” (the presentation of this content) of a delivered email, changing “yes” to “no” or “£1” to “£1 million”.
Brian Robison, senior director of security technology at Cylance, emailed SC to comment: "This advisory simply highlights the fact that if you receive an email with a URL embedded into that HTML email, an attacker COULD change the actual destination of that URL to be something not intended. Modern email applications render HTML as if it were a webpage using CSS to make the email “look” nice. This is currently standard practice within every legitimate marketing organisation in the world.
"Phishing emails have been taking advantage of this for some time, including linking to the original source to make it look more legit. Example: You get an email from your bank; the email pulls the headers and logos directly from the bank's website; then the button is actually linked to different site entirely – like badbank dot com, or something where you are tricked into clicking on that link that and exposing your credentials on the “fake” banking site.
"Having pre-execution anti-malware technology in place on endpoints would prevent any malware that was downloaded as part of the phishing attack from executing and doing any damage."