Threat Actors Exploit CSS for Evasive Phishing and User Tracking
Discover how threat actors leverage CSS to bypass spam filters and track user behavior. Learn about the latest techniques and mitigation strategies.
TL;DR
Threat actors are using CSS to evade detection and track user behavior, raising significant security and privacy concerns. This article explores the techniques employed and offers mitigation strategies.
Threat Actors Exploit CSS to Bypass Spam Filters and Track User Behavior
Introduction
Threat actors are increasingly exploiting Cascading Style Sheets (CSS) to bypass spam filters and detection engines, as well as to track users’ actions and preferences. This raises significant security and privacy concerns, including potential fingerprinting. Cisco Talos has observed these tactics, highlighting the need for advanced mitigation strategies.
Understanding CSS and Its Role in Web Design
CSS is a stylesheet language used to control the appearance and layout of web pages. It defines styles for HTML elements, including colors, fonts, spacing, and positioning. CSS helps separate content from design, allowing developers to create visually appealing and responsive websites. It also supports animations and themes and works alongside HTML and JavaScript to enhance web experiences.
Abuse of CSS for Evasion and Tracking
Threat actors are exploiting HTML and CSS features to hide the content in emails, evading detection. Using CSS properties like text-indent, they conceal phishing text from victims while bypassing security parsers.
- Text Indentation: Attackers set the
text-indentproperty to -9999px, moving the text far out of the visible area when the email is opened in an email client. - Font Size: Attackers set the
font-sizeproperty to an extremely small value, making the text virtually invisible to recipients on most screens. - Color Transparency: The use of the color
transparentrenders text invisible by blending it into the background. - Opacity: Threat actors may also use the
opacityproperty to hide portions of content that are relevant.
Example of a Phishing Message
The following phishing message impersonates the Blue Cross Blue Shield organization:
A close inspection of the HTML source of the above email reveals multiple attempts to conceal content, both in the body of the email and in the email’s preheader. The attacker has set the opacity property of CSS to zero, making the element fully transparent and invisible. Note that this preheader text is kept hidden by relying on multiple CSS properties, including color, height, max-height, and max-width. Additionally, the mso-hide property is set to all to make the preheader invisible in Outlook email clients as well. Also, note that the invisible preheader text is completely irrelevant and appears benign (e.g., “FOUR yummy soup recipes just for you!”) to make it appear less suspicious to spam filters.
Tracking User Behavior and Fingerprinting
Threat actors can also track user behavior and conduct fingerprinting attacks by using the @media at-rule. Using this trick, they can gather data on recipients’ font and color preferences, language settings, and actions like viewing or printing emails. Spammers can also use CSS properties to fingerprint users, their email clients, and systems by detecting screen size, resolution, and color depth.
Mitigation Strategies
Advanced filtering mechanisms can help detect hidden text salting and content concealment in emails, while analyzing visual characteristics can improve detection of image-based threats. For privacy, email privacy proxies can rewrite emails to enhance security by converting top-level CSS rules into style attributes and embedding remote resources as data URLs, preventing tracking and data exfiltration.
Conclusion
CSS provides functionalities, rules, and properties that could be abused by attackers to evade spam filters and detection engines, as well as to track or fingerprint users and their devices. As such, both the security and privacy of your organization and business are at risk. Implementing advanced filtering mechanisms and email privacy proxies can help mitigate these threats.
Additional Resources
For further insights, check: