Tracking pixels can conduct surveillance for targeted attacks
Malicious hackers can use tracking pixels to help them gather intelligence for attack campaigns, both mass and targeted in scope.
Digital marketing firms have long used tracking pixels (longer than they've been using the Battery Status API, at least) to analyze email and web marketing campaigns. These pixels are image files that are usually just one pixel in size, a design which prevents users from noticing them in most cases.
With code as simple as <img src=”http://example.com/cgi-bin/program?e=email-address”>, the marketing tools ping a website whenever someone downloads an image.
Tracking pixels can do more than just provide notice of someone engaging with a media file. They can also gather information about a user including their IP address, operating system, web browser and send it to a designated email address. The operator of that address can then use that information to fine-tune an advertising campaign.
Unfortunately, tracking pixels don't just help advertisers. Attackers can also abuse them to carry out malicious campaigns.
Donald Meyer of Check Point elaborates on this misuse of tracking pixels in a blog post:
More: https://www.grahamcluley.com/tracking-pixels-can-conduct-surveillance-target...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/18/2017 05:26 PM, Mirimir wrote:
On 04/18/2017 12:38 PM, Razer wrote:
Malicious hackers can use tracking pixels to help them gather intelligence for attack campaigns, both mass and targeted in scope.
<SNIP>
Well, prudent folk don't render HTML, or download embedded stuff :)
I haven't seen one of these in many moons. Decently designed mail readers that render HTML do not pull in remote content unless expressly directed to. "Normal" website based trackers use Javascript; it is transparent to the (naive) user and can harvest a much more detailed profile of the viewer's browser than that volunteered by HTTP request headers. Javascrpt filters that block calls for offsite scripts and halt execution of scripts embedded in HTML cover most of the JS surveillance vector. I do occasionally dissect web pages to see what they're made of, with special attention to spyware, but I have never seen a 1px "web bug" (yes, they have a name) in an HTML document. Not to say they can't be used, but as far as I can tell they rarely are. An option to block all 3rd party image content by default would be a good addition to a tool like NoScript. Many users would be shocked - SHOCKED, I TELL YA! - to learn how often they are visiting Cloudflare, Amazon, and image hosting sites like Photobucket or Imageshack while viewing "independet, owner operated" websites. :o) I do occasionally dissect -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJY9px2AAoJEECU6c5Xzmuq0g0IAMAr9n7mbDXL+wMuInw+9xk1 GXX21A14rrpTin/kiyDQ20QcuoJkMiLzhRkyG8qFdaInExxK7jQPqVOHZ6frD8KH /B+ShUo5HBGj4mUZiLXAYKjbkJ0CO3Zqqn0XeDaErQ2zOsovX2AqS1jdTs/67ITM PoipIOVf8dOVBXu2bdlfHFvXeGCKEN6q9Aq30miKP0e1hEAJBinS8SlFH7+3q9XX h6/mnnxlqXZmSMN1A0ovPqOagVUwwDYdN+d5gWwCOZhIxETFXOfWVyTym0b8i85o LDs8VpA3QpiHR/KoNja5NC+mnA9K4joThjSqpPH/vOk62CkD7zsyzzY3S2DOamY= =6ZhE -----END PGP SIGNATURE-----
With Firefox and its kin (Cyberfox, and possibly PaleMoon), RequestPolicy will do that. I've seen sites that have as many as 20-30 different content providers for all sorts of things that are exposed by RequestPolicy. No such beast for Chrome that I've been able to detect. Unfortunately, RequestPolicy isn't compatible with the new-ish multiprocess capability in FF/CF. Kurt On Tue, Apr 18, 2017 at 4:08 PM, Steve Kinney <admin@pilobilus.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/18/2017 05:26 PM, Mirimir wrote:
On 04/18/2017 12:38 PM, Razer wrote:
Malicious hackers can use tracking pixels to help them gather intelligence for attack campaigns, both mass and targeted in scope.
<SNIP>
Well, prudent folk don't render HTML, or download embedded stuff :)
I haven't seen one of these in many moons. Decently designed mail readers that render HTML do not pull in remote content unless expressly directed to. "Normal" website based trackers use Javascript; it is transparent to the (naive) user and can harvest a much more detailed profile of the viewer's browser than that volunteered by HTTP request headers.
Javascrpt filters that block calls for offsite scripts and halt execution of scripts embedded in HTML cover most of the JS surveillance vector. I do occasionally dissect web pages to see what they're made of, with special attention to spyware, but I have never seen a 1px "web bug" (yes, they have a name) in an HTML document. Not to say they can't be used, but as far as I can tell they rarely are.
An option to block all 3rd party image content by default would be a good addition to a tool like NoScript. Many users would be shocked - SHOCKED, I TELL YA! - to learn how often they are visiting Cloudflare, Amazon, and image hosting sites like Photobucket or Imageshack while viewing "independet, owner operated" websites.
:o)
I do occasionally dissect -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJY9px2AAoJEECU6c5Xzmuq0g0IAMAr9n7mbDXL+wMuInw+9xk1 GXX21A14rrpTin/kiyDQ20QcuoJkMiLzhRkyG8qFdaInExxK7jQPqVOHZ6frD8KH /B+ShUo5HBGj4mUZiLXAYKjbkJ0CO3Zqqn0XeDaErQ2zOsovX2AqS1jdTs/67ITM PoipIOVf8dOVBXu2bdlfHFvXeGCKEN6q9Aq30miKP0e1hEAJBinS8SlFH7+3q9XX h6/mnnxlqXZmSMN1A0ovPqOagVUwwDYdN+d5gWwCOZhIxETFXOfWVyTym0b8i85o LDs8VpA3QpiHR/KoNja5NC+mnA9K4joThjSqpPH/vOk62CkD7zsyzzY3S2DOamY= =6ZhE -----END PGP SIGNATURE-----
participants (4)
-
Kurt Buff -
Mirimir -
Razer -
Steve Kinney