The subject of image tracking (or in some cases, pixel tracking), has been getting a lot of attention in recent months. Image tracking (or picture tracking, as it is sometimes called) isn’t anything new. It has been used in email campaigns for what seems like forever. The question is, however, is this type of tracking as harmless as it may initially seem?
What is image tracking?
Image tracking seems to have been created by online retailers as a tool for helping to gauge the effectiveness of their marketing efforts. Like me, I’m sure that you probably get inundated with marketing spam every single day. For instance, a few years back I purchased a team jersey as a gift for a friend who is obsessed with that particular sports team. To this day, I get spam on almost a daily basis trying to sell me additional products.
Regardless of how many advertisements a retailer might send out through email though, retailers recognize that only a tiny percentage of the recipients will click a link within an advertisement.
Retailers figured out long ago that they could make each link within an ad campaign unique, thereby allowing them to figure out who click on a link, and which campaign the link was a part of. However, retailers aren’t just interested in figuring out who is clicking on links, but also who is looking at their advertisements. That being the case, many email advertisements include pictures. The download links for these pictures are designed to be unique, in the same way that clickable links within an advertisement are also unique. That way, when someone opens an advertisement and their mail client downloads the pictures within the advertisement, the retailer will be able to tell that the person opened the advertisement. I’m not saying that every retailer uses this approach, but the practice is extremely common.
Is image tracking dangerous?
On the surface, image tracking would seem to be one of those things that might be considered annoying, but harmless. After all, the simple act of downloading a picture should not pose any kind of immediate threat. And even if a retailer does use image tracking, the image tracking software typically just associates the download link with an email address in a database so that the retailer will have a way of knowing who their most likely customers are. The worst thing that typically happens is that a retailer will send an ever-increasing volume of spam to those people that have been identified as the most likely potential customers.
The problem with image tracking, however, is that the practice is starting to be adopted by scammers who engage in phishing schemes. And while this type of tracking might not pose an immediate threat, I certainly would not consider it to be harmless. Let me explain why.
Pixel tracking
One of the things that scammers have begun doing is constructing phishing email messages in a way that downloads an image that consists only of a single pixel. This pixel is often white so that it blends in with the background and goes completely unnoticed. Like those pictures that are used in retail advertisements, the download link used to download the pixel is designed to be unique, thereby allowing the scammer to figure out which email recipient opened their message. Several things can occur as a result of this pixel being download.
First, and perhaps most disturbing, the simple act of downloading a graphic image consisting of only a single pixel can provide the scammer with a surprising amount of information about the recipient’s computing device. This is especially true if the recipient happens to be using a browser-based mail client.
When a browser-based mail client downloads a picture (even if that picture consists of a single pixel) it sends a user agent string to the website that the picture is being downloaded from. This user agent string provides a wealth of information about the browser and the device that it is running on. The screen capture below shows some of the information that can be derived from the user agent string (although I have masked my IP address). If you would like to try this for yourself, you can check it out here.
None of the information shown in the screen capture above poses a direct threat to your system. Even so, those who engage in phishing attacks made design future attacks based on the information that they gather in this way. If for example, someone were creating a phishing attack designed to trick email recipients into clicking on a link that downloads ransomware, it would make little sense for the ransomware module to be designed to attack Linux systems if research is shown that the vast majority of potential victims are running Windows or macOS.
Another thing that can happen as a result of pixel tracking is that those who open a phishing email are more aggressively targeted. Just as online retailers are likely to more heavily market toward people that they know are opening their advertisements, the bad actors are also more likely to heavily target those people that they know open phishing messages.
Consider for a moment that in the past, spammers have been known to sell lists of email addresses that have been proven to be valid or list of people who are known to have open spam. What is to stop a bad actor from creating such a list, and selling it to other scammers?
A third consequence of pixel tracking is that it can help bad actors refine their phishing techniques. Imagine for a moment that an attacker is planning on launching a massive phishing campaign to unleash a new type of ransomware. Rather than simply composing a message and sending it to a list of potential victims, it may make more sense for an attacker to compose a variety of harmless phishing messages that use pixel tracking. That way, the attacker can gauge which types of messages are the most likely to be opened by the recipient. By using this type of technique, the attacker can hone their skills and eventually create an optimally effective phishing message.
No direct threat, but …
So, as you can see, pixel tracking and image tracking do not pose any sort of direct threat. However, pixel tracking can help bad actors gain useful insight into their intended victims, thereby making future attacks potentially more effective.
The most obvious countermeasure to this is the long-standing best practice of not opening messages that you don’t trust. However, there are other things that you can do. Rather than use a browser-based mail client, for example, use a mail client application such as Microsoft Outlook or something similar. The reason for this is that many mail client applications can be configured to stop pictures from being downloaded automatically. This completely neutralizes pixel tracking, unless you choose to manually download the pictures within an email message. If a mail client does not download pictures, then a would-be attacker has no way of knowing that a message has been opened.
Featured image: Shutterstock
Have you seen any stats on what percentage of recipients who open emails with no pictures showing (because their client didn’t automatically download them) and then choose to download the pictures?
I’m trying to estimate (if only very roughly) how many more opens my emails might have had, that the EDM platform cannot count.