Meet Ropemaker – the most dangerous email hack today

1024 683 Konductor

Security experts are warning of a new, easily executed email hack that is allowing cybercriminals to turn seemingly innocent emails into something malicious afterthey have been delivered to email inboxes.


Known as ‘Ropemaker’ (an acronym for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky), the hack was discovered by researcher Francisco Ribeiro at cloud security firm Mimecast.


An effective Ropemaker attack allows hackers to remotely amend the content of an email sent by the hackers themselves, for example by switching a URL contained within the email with a malicious one.


Scarily, this can be done even after the email has made it through all spam and security filters and been successfully delivered to the recipient. As Ropemaker does not require direct access to a recipient’s computer or email application, it is exposing millions of desktop email client users to its devastating potential.


How Ropemaker works


Ropemaker works by interfering with Cascading Style Sheets (CSS) and Hypertext Markup Language (HTML) – critical elements of how information is presented on the Internet.


With CSS being stored remotely, researchers warn that attackers can alter the content of an email – also remotely – and make it look a certain way with the recipient, even the most tech savvy users, unaware that a change has been made.


In terms of how destructive a Ropemaker attack is, researchers claim that it is wholly dependent on the creativity and spite of the hacker.


For example, a common approach has been for hackers to switch the URL of a genuine website, with a malicious one that brings users to a compromised site which infect their machine with malware or steals sensitive data, such as banking details.


Though some systems are able to detect URL switches and block users from opening the malicious link, those with systems without this capability are left exposed.


Enter the Matrix


Another form of Ropemaker attack, known as a ‘Matrix Exploit’, is altogether more sophisticated than the ‘Switch Exploit’, and therefore much more difficult to detect and guard against.


In a Matrix Exploit attack, hackers write a matrix of text in an email then use the remote CSS to control what is displayed. This allows the hacker to pretty much do what they want, including inserting malicious URLs into the body of the email. What makes a Matrix Exploit attack so difficult to defend against is the initial email received does not display any URL. This means is bypasses most software systems.


To protect yourself from a Matrix Exploit attack, it is recommended that you use web-based email clients such as Gmail, iCloud and Outlook, which appear to be resistant to Ropemaker-style CSS exploits.


Email clients like the desktop and mobile version of Apple Mail, Microsoft Outlook, and Mozilla Thunderbird on the other hand remain, as yet, vulnerable to Ropemaker.


Anthony McNamara

All stories by: Anthony McNamara