Attackers tend to do painstaking groundwork to engineer business e-mail compromise attacks (BECs). When they pose as someone authorized to transfer funds or send confidential information, their messages need to look as close to legitimate as possible. Details matter.

We recently got our hands on an interesting example of an e-mail sent to a company employee in an attempt to start a conversation.

E-mail written by cybercriminals.

The text is fairly cut and dried for the type of e-mail in question. The attacker makes it clear that the sender is in a meeting, so not available by other means of communication. They do that to discourage the recipient from checking if they are indeed corresponding with the person whose name appears in the signature. Seeing as the attackers did not try to hide the fact that the e-mail was sent from a public e-mail service, they either knew that the person they were imitating used the service or expected that it was normal for the company to use third-party e-mail for business correspondence.

Something else caught our attention, though: the “Sent from my iPhone” signature. That signature is iOS Mail’s default for outgoing messages, yet the technical headers suggest the message was sent through the Web interface, and specifically from the Mozilla browser.

Why did the attackers try to make the e-mail appear to have been sent from an Apple smartphone? The automatic signature might have been added to make the message look respectable. That is not the most elegant of tricks, though. BEC attacks most frequently appear to come from a coworker, and the chances are good that in this case, the recipient knew what type of device that person used.

So, the criminals must have known what they were doing. But how could they? In fact, it is not difficult. All it takes is some reconnaissance using a so-called tracking pixel, also known as a Web beacon.

What a tracking pixel is and why it is used

As a rule, companies that send bulk e-mail to customers, partners, or readers — almost every company, that is — want to know the level of engagement they achieve. In theory, e-mail has a built-in option for sending read receipts, but recipients must consent to its use, which most people do not. So, clever marketing people came up with the tracking pixel.

A tracking pixel is a tiny image. At just one pixel by one pixel, it’s indiscernible to the eye, and it lives on a website, so when an e-mail client application requests the image, the sender who controls the site receives confirmation that the message was opened as well as the IP address of the receiving device, the time when the e-mail was opened and information about the program that was used to open it. Have you ever noticed your e-mail client doesn’t display images until you click a link to download them? That’s not to boost performance or limit traffic. In fact, automatic image downloads are typically turned off by default for security reasons.

How can a cybercriminal take advantage of the tracking pixel?

Here’s one scenario: While traveling abroad, you get a message in your work inbox that looks relevant to your business. As soon as you realize it’s just an unwanted solicitation, you close it and trash it, but in the meantime, the attacker learns:

How can you defuse those insights?

Protecting oneself from tracking is difficult. That does not mean you should make cybercriminals’ lives easier, though. We suggest following these tips:

Both Kaspersky Total Security for Business (Kaspersky Security for Microsoft Exchange Servers, Kaspersky Security for Linux Mail Server and Kaspersky Secure Mail Gateway components) and Kaspersky Security for Microsoft Office 365 include our antispam and antiphishing technology.