Cybersecurity experts have uncovered how hackers use Cascading Style Sheets (CSS) to deceive spam filters and monitor user behavior.
This sophisticated technique allows malicious actors to remain under the radar while gaining insights into user preferences and actions.
The abuse of CSS for both evasion and tracking poses substantial threats to privacy and security.
The Abuse of CSS for Evasion
Threat actors have developed several methods to exploit CSS for evading detection.
One of these methods involves using CSS properties like text-indent and opacity to conceal content within emails.
This “hidden text salting” technique allows attackers to add irrelevant text or code that is not visible to recipients but can trick spam filters into misclassifying the email as legitimate, as per a report by Talos Intelligence.
For instance, by setting the text-indent property to a large negative value (e.g., -9999px), attackers can move unwanted text far beyond the visible area of the email.
This hidden content can include gibberish characters inserted between legitimate words in the email body, making it difficult for detection engines to identify the true intent of the message.
Additionally, setting the font size to an extremely small value or the text color to transparent ensures that the hidden content remains invisible to human eyes.
Another technique involves using the opacity property to make certain elements completely transparent, thus hiding them from view while maintaining their presence in the email code.
This approach can be used in both the email body and preheader sections to deceive spam filters and make the email appear less suspicious.
The Abuse of CSS for Tracking
Beyond evading filters, CSS is also being used to track users’ actions and preferences. Email clients’ varying support for CSS rules enables attackers to fingerprint recipients’ systems and hardware.
This can include detecting screen sizes, resolutions, and color schemes, providing valuable information that can be used to tailor phishing campaigns or marketing strategies.
An example of this tracking involves using the CSS media at-rule to record when an email is viewed or printed.
By embedding tracking images or URLs that log specific events (e.g., when the email is opened in a particular client), attackers can gather detailed data about user engagement and preferences.
This information can be used to optimize future campaigns or enhance the effectiveness of targeted attacks.
Furthermore, CSS can be used to fingerprint operating systems based on the availability of specific fonts.
For instance, using a font like Segoe UI, which is common in Windows, and a media rule that applies different styles if Helvetica Neue is available (typically found on macOS), attackers can determine which operating system a recipient is using.
This information can be used to tailor malicious content to the recipient’s environment.
Mitigations
To address these security and privacy threats, several mitigation strategies can be employed:
- Advanced Filtering Mechanisms: Implementing advanced email filtering systems that detect hidden content and analyze both text and visual characteristics of emails can help identify malicious messages.
- Email Privacy Proxies: Using privacy proxies with email clients can effectively protect user privacy by rewriting CSS rules to prevent tracking and converting remote resources into data URLs. This approach confines styles within the email and prevents the exfiltration of information.
- User Awareness: Educating users about these tactics and encouraging vigilance when opening unsolicited emails can also help reduce the risk.
The exploitation of CSS for nefarious purposes underscores the evolving nature of cyber threats.
As attackers continue to innovate, both individuals and organizations must stay informed and implement robust security measures to protect against these sophisticated tactics.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
 to deceive spam filters and monitor user behavior.){kind=link}