Malicious hackers can use tracking pixels to help them gather intelligence for attack campaigns, both mass and targeted in scope.
Digital marketing firms have long used tracking pixels (longer than they've been using the Battery Status API, at least) to analyze email and web marketing campaigns. These pixels are image files that are usually just one pixel in size, a design which prevents users from noticing them in most cases.
With code as simple as <img src=”http://example.com/cgi-bin/program?e=email-address”>, the marketing tools ping a website whenever someone downloads an image.
Tracking pixels can do more than just provide notice of someone engaging with a media file. They can also gather information about a user including their IP address, operating system, web browser and send it to a designated email address. The operator of that address can then use that information to fine-tune an advertising campaign.
Unfortunately, tracking pixels don't just help advertisers. Attackers can also abuse them to carry out malicious campaigns.
Donald Meyer of Check Point elaborates on this misuse of tracking pixels in a blog post:
More: https://www.grahamcluley.com/tracking-pixels-can-conduct-surveillance-target...