Is Your Email Spying On You?

The Harvard Business Review headline grabs your attention: “Traveling for Work? You’re a Prime Target for Hackers.”  How? The story went on to claim that many of our emails now are contaminated with tracking devices – spy tools – that let criminals know where we are, even which hotel, and also our email reading behavior (what times do we read email).  All that information is gold for criminals, said the story’s author, Paul Everton, CEO of MailControl, a company that makes what it calls an anti spymail tool, that is, technology that aims to knock spymail out.

Can this be true?

You bet.  Spymail is not new. A decade ago, Hewlett Packard found itself snared in legal actions when it bugged emails to help it find who was leaking board level secrets.

Marketers in turn quickly jumped on spy tools that let them track who their emails.  The preferred tool of choice for marketers is to embed tiny images in an email.  The sender then gets a report back about when and where the image opened, meaning when the email was opened.

Legitimate marketing companies involved in tracking tools include: Streak, Yesware, Mandrill, MailChimp, Postmark, TinyLetter, Sidekick, and MixMax.

Morey Haber, a vice president at security company BeyondTrust, elaborated: “Spymail is not new. It was originally developed and has become acceptable as a marketing tool to target prospects via email communications. The dark side is that anyone can use these tools to conduct malicious activities.”

The dark side lately is becoming darker as more criminals have recognized the value of compiling detailed information dossiers on executives.

That’s why you want to begin thinking on a defense strategy. If you haven’t been a victim of spymail yet, you will be.  Unless you take concrete defensive steps.

Everton explained how the spymail threat to traveling executives works: “Each time a traveling executive opens spymail, they reveal a wealth of private information — their current location, the time of day they read their email, the hotel at which they are staying. Scammers can use this information to craft believable phishing emails or phone calls, targeting the executive or their unsuspecting colleagues back at the home office. Because spymail looks like any other email, the receiver is unable to determine which emails are tracked with the invisible extension, making cybersecurity on the road much more difficult to manage.”

Here’s a vivid case in point. Imagine your CEO – really, a criminal masquerading as him – fires off an email, “urgently need $1 million US in good faith money transferred to XYZ at such and such bank in Moscow.”

“Can’t tell you more. Email here is bugged. Please proceed with haste. My life depends on this.”

Before you say no way, what if you know the CEO is in fact in Russia, that he may be meeting – for legitimate reasons – with known Russian hackers, and there certainly are loud questions asked about the ethics of the local players. And what if $1 million is not that big a sum to your company?

Is the money transferred? Just maybe.

Also know that it is not just criminals and marketers using spymail. Multiple experts said there is substantial evidence that many nation state security organizations are using spymail to track executive targets.

That could mean you.

Buckle up because matters may get worse.  “it is safe to assume the methods and techniques used will only become more of a problem and a higher risk for organizations,” said Haber.

How to fight back?

The first, easy step is to set email to not open images without authorization.  By default many email apps automatically open images.  It’s a small hassle to have to okay every image.  But do it.  You probably won’t miss the pictures.

In GMail, click the gear (top right).  Scroll to SETTINGS.  A few lines down, you will see IMAGES.  The default is “always display external images.”

Switch to “Ask Before Displaying External Images.”

Google, by the way, said it has built in protections: “To help load images safely, images go through Google’s image proxy servers and are transcoded before they’re delivered.

This makes images safer because:

• Senders can’t use image loading to get information like your IP address or location.
• Senders can’t use the image to set or read cookies in your browser.
• Gmail checks the images for known viruses or malware.”

Multiple experts said they wanted still more security for executives and know that many corporate email systems now are building in spymail filters, to strip out tracking images before the email arrives in an executive’s inbox or, in some cases, to block the email entirely.

Word of advice is: ask IT about filters in your system. Use them if available.

Also be very cautious about opening emails especially nowadays, especially when traveling. If you don’t have to open an email, don’t.

Can you just ignore the tracking image problem for now? Bad idea. The potential really is just now coming into focus.

Probably we ain’t seen nothing yet – and that is very bad news indeed.