Web Beacons for Social Engineering Reconnaissance

Most of you have heard about cookies on the internet, but Web Beacons take tracking your browsing habits a step further. Web Beacons (aka: Tracking Pixels, Web Bugs, and Tracking Beacons) are mainly used by marketers to track how well an email, advertisement, or article is being received by their audience.  Usually these 1×1 pixel images are camouflaged in to the background of the email or page, and tell marketers if the audience opened an email or visited a particular page.

blog

Seems Harmless Enough Right?

It’s tempting to think, “Who cares if Amazon knows that I was interested in their upcoming sale?”, or, “I don’t mind if CNN knows I read one of their articles.”  However, it’s not only the content provider’s beacons that you need to worry about.  For example, if you visit a page at CNN that also has a Facebook “Like” button on it, it most likely has its own beacon that phones-home to also let them know you visited that page.  This information can include date, time, IP address, and browser details.  A CNN story I recently read had 19 trackers on one page alone!  So even if you’re not a Facebook or Twitter user, they have a very good idea of what you (or at least your IP address) likes to visit on the Internet.

If You Still Don’t Care, Here’s Why You Should.

Beacons embedded in pages and emails can be used as reconnaissance tools for social engineering attacks.  Besides collecting your IP address and time stamps, these beacons can also report back with your operating system, hostname, and email address.  If an attacker can get you to open an email (via phishing) or convince you to visit a website (via vishing), then these beacons will help provide a technical footprint of your organization.  This also can give a would-be attacker information if an email address is valid, and which users are more likely to fall for phishing and vishing attacks.  Beacons could also be used in-house by your organization to track if emails were forwarded, or who opened a particular document.  In fact, WikiLeaks reports that the CIA is utilizing beacons in web documents to track the dissemination of sensitive documents throughout their organization.

How Do You Minimize Your Exposure to Beacons?

The Electronic Frontier Foundation (EFF) has an excellent browser add-on called Privacy Badger.  Built for Firefox, Opera, and Chrome; If the same third-party domain appears to be tracking you on three or more different websites, Privacy Badger will conclude that the third party domain is a tracker and block future connections to it.”  It’s an easy to use tool, and shows you details about every beacon embedded in the page.

As for emails, make sure your mail client is set to not download images automatically; and always only open emails from trusted senders.  Gmail’s solution to beacons is to serve any incoming images through their servers first.  This means that “opens” will still be tracked, but will only phone-home with Google’s IP address instead of your own.  RedAnt provides a really good technical breakdown of Gmail’s caching process if you’d like to read further.

For Microsoft Office documents, make sure your Trust Center settings are setup to only open documents in Protected View, and only enable macros if you are absolutely sure it is from a trusted source.

For Internet searches, DuckDuckGo provides a tracking free alternative to Google, just be aware that there may still be beacons on the pages you click on from your search.

It is almost impossible to avoid Web Beacons 100%, but the above tools can help minimize the amount of information you’re exposing to corporations and potential attackers.  Happy browsing!

Resources:
https://wikileaks.org/vault7/#Scribbles
https://www.eff.org/deeplinks/2016/12/new-and-improved-privacy-badger-20-here
http://blog.checkpoint.com/2017/04/17/look-files-cloud-looking-back/
https://gmail.googleblog.com/2013/12/images-now-showing.html
https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653
https://duckduckgo.com/
http://redant.com.au/how-we-do/cache-busting-gmail-new-image-caching/

Leave A Reply