show image

Ropemaker exploit changes emails after they have been delivered

Security researchers have discovered a new exploit that could enable hackers to edit the content of an email after it has been delivered.

The hack, dubbed Ropemaker, may be leveraged to turn benign URLs into malicious ones, directing unsuspecting victims to malware.

It could also be exploited to rewrite an email after it has landed in an inbox, presenting a risk to anyone who treats emails as business records.

“The origin of ROPEMAKER lies at the intersection of email and Web technologies, such as HTML, Cascading Style Sheets (CSS), and hypertext,” said Matthew Gardiner of Mimecast, whose researchers discovered the exploit.

“While the use of these web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.”

Mimecast said Ropemaker has not been spotted in the wild and that browser-based versions of Gmail, Outlook and iCloud are not vulnerable.

But it claims that users of the desktop and mobile versions of the Outlook app, desktop and mobile versions of Apple Mail and Mozilla Thunderbird are at risk.

Gardiner said there are basic security controls that CISOs should worry about before Ropemaker, but added: “This is how attacks evolve. Today’s phishing exploits were cutting edge a few years ago.

“Now they’re pretty much mainstream. So could I see this becoming mainstream? It’s possible if we don’t do something about it.”