4

I work for a large company and they are currently running a phishing training program. I received one of these "safe" phishing emails and found something I don't really understand.

There are several png files and one wav file that are hidden at the bottom, all of which reference what looks to be a unique web site. I know that loading the png image can be used for tracking but by default (I use Outlook 2016) images are blocked and therefore wouldn't load unless I allowed them.

So my question is, can wav files be used for tracking when an email is opened and get around the default picture blocking behaviour?

Mackija
  • 143
  • 3

2 Answers2

2

It was once possible to embed audio into emails (including auto-play). Here's a 2012 article describing how it was done. This does not currently work in Gmail or Outlook 2016, but it may still work in other email clients.

So if the recipient is using an email client that supports this, then yes it would be possible to track email opens this way, in exactly the same manner that it's done with images.

Sequoyah
  • 146
  • 3
1

Broadly, yes... but it doesn't reveal a whole lot about you.

Any link you click (whether from an email or elsewhere) makes an HTTP request to a remote server. The server handling the request will receive some details about what you were asking for (domain name, filename, the IP you made the request from, etc).

So whatever information is in the link address, may be recorded in an event log in the remote server. This is how "tracking pixels" in emails and on websites work. They often have a small (possibly 1 pixel) image, with a URL unique to that email. When your web client loads it to display the image, they record your IP address.

IP addresses can be used to determine things like your physical location (usually down to your city, but not generally your physical address unless they have access to your service provdier's records). It also reveals who your Internet Service Provider (ISP) is, and could be correlated to other traffic if you visit more sites controlled by the email's sender.

It's also possible in some rare circumstances to embed malicious code into a wav file. Here's a couple examples of past incidents where this might have been the case. Usually, these types of risks aren't available to exploit for long, provided you keep your software up-to-date.

It's still best not to play WAV files from unknown sources. It's up to you to determine whether the risk that the WAV file might be malicious is worth whatever might be gained by listening to it. The same is true of opening any file sendt to you by email or downloaded from a website.

https://www.exploit-db.com/exploits/39177/

https://tools.cisco.com/security/center/viewAlert.x?alertId=14723

nbering
  • 3,988
  • 1
  • 21
  • 22
  • So my understanding of the tracking pixels is that as soon as they are loaded on the page/email, then the href site gets a request, but if all images are blocked then they wouldn't load and therefore no request. Question was more, does the wav file get loaded or is it blocked by default? – Mackija May 09 '18 at 17:05
  • Ah.. you have a point there. It depends. In most cases probably not, but if the browser tried to be helpful and buffer some of the audio incase you played it, then it might indicate that the email had been opened. Some of these tracking techniques are getting pretty unreliable anyway, since many mail services will scan the linked content for malware. That gives a false-positive to the tracker. – nbering May 09 '18 at 18:32