How to tell when someone has opened your email

All things related to software development and programming languages.
Ben
Posts: 8
Joined: Sun Feb 28, 2016 11:32 am
Country: South Africa
Firstname: Rupert

How to tell when someone has opened your email

Postby Ben » Mon Sep 26, 2016 12:24 am

But you get the idea, we can now tell them to install whatever we want.


Hey Everyone,

So in light of the recent yahoo hack You can find it here I thought I'd talk about some email hacking.

Let me preface this by saying that the techniques I'm going to talk about should be considered unethical and I suggest against doing them. That said it's sometimes fun to look at the wrong things so that you know how they work and how to combat against them.

So as the title suggests I'm going to talk about how you might tell if someone has read your email and a few extra tricks that logically follow on from this. I will try to keep things as language-agnostic as possible so I will rather talk about the techniques descriptively.

Lets begin!

The first thing we want to do is obviously send our emails. You can do this from any source but you may as well do it from your web server as you will require one to pull this off. They're really cheap these days so it shouldn't be difficult. But don't just send any normal email. Your email needs to include an image.

Why an image Ben? Glad I asked. Well any one who is familiar with the very basics of html will know that when you make an img tag you can provide a url from an alternative web source. This is where we will start being clever. We are going to make a webpage that will ask for an id and then return an image.

Let's pretend we are working with php. Well things are pretty easy then, one can simply make this page:

Code: Select all

<!DOCTYPE html>
<html>
<body>
<?php
 $id = $_GET['id'];
 //save however you want with the id
?>
<img src="the img you want them to see"


Now when we provide the img inside our email we will add on this extra section to the src attribute "theActualImageUrl?id=2"

This is where sending emails from your own server would be pretty helpful as it means you can also provide unique keys for everyone you send out to. This is actually a pretty common technique across advertising agencies to get an idea of how many people engage the emails they send out.

Pretty easy stuff but now we have a lot of power. Because it means when someone simply downloads an image through their emails they're opening up a connection between you and them. And it's pretty much invisible. That's why you'll get a warning about trusted sources before downloading images from an email.

Anyway we're not done. Because as I said, we now have a connection. And that means we have an IP. Well why does the IP matter? Because though it is not precise it gives location. We can now connect our server to a webservice like ip location and track where in the world people are viewing our email. So if I was to say get a massive list of email addresses I could send out emails to everyone and get a rough idea of where they are and when they opened my email. (If you guys want to check me out my IP address is 127.0.0.1)

Image

This is where social engineering comes in. You can add a second phase in your code where it sends an automated response to the people who opened your emails with something a long the lines of "AVG has just discovered you have opened an unsafe email by [location]", please install our protection software as soon as possible. But you get the idea, we can now tell them to install whatever we want. While it may not seem like it would work, but your dad uses the internet if you swing a large enough net it will catch someone. And since the whole process is easy to automate, you will.

This is just one description of how this attack can take place but you can actually get other useful purely analytical information such as what devices they are viewing your email through by using their browsers user agent.

I don't condone any of this but it is interesting to see how such a simple exploit can be used to get masses of data.

Image

Return to “Software Development”

Who is online

Users browsing this forum: No registered users and 1 guest