Pixel Tracking: A Hacker’s Tool

What is pixel tracking?

It’s challenging to justify the effectiveness of an email campaign if you can’t measure its success. So, what do you do? You use pixel tracking, a seemingly innocent sales tool that helps sales and marketing teams track their campaigns. Tracking pixels are embedded into emails and load when the recipient opens the email. The sender can receive information about when and who opens the email, how many links are clicked, what platform the receiver uses, and the status of the message. The same concept is used for attachment and link tracking as well. However, this data collection is performed usually without the recipients’ knowledge or consent.

Most recipients do not see the embedded pixel, as the pixel is merely a blank space at the end of the message. Depending on the email provider, recipients may see a “Load images from this user?” message. Most probably click “Yes” without further thought. However, most recipients usually have email preferences set to display images by default, so they do not even see the message.

Abusing pixel tracking

Remember, criminals are becoming incredibly sneaky at using every day business resources to their own advantage. While pixel tracking may seem innocent and useful, it can also be used for a wide array of malicious purposes. Hackers trying to penetrate an organizational network are always looking for more information. During the reconnaissance stage, attackers often send phishing mails to map out the network and locate potential breaches.

By sending emails injected with a tracking pixel, a hacker can map the devices used in the targeted company, detect IP addresses, learn which recipients are likely to take the bait, and even track employees’ working hours. Using the gathered information, the attacker can analyze the network architecture of an organization, including which operating systems are being used, and the hardware characteristics of network devices. With this knowledge at hand, he can search for and exploit existing vulnerabilities in the operating system. In addition, attackers can use it gather statistics to help optimize their phishing campaigns.


Tracking pixels found by Check Point researchers at the end of a phishing email


What can you do to stay protected?

Simple pixel tracking may not cause a direct breach, but should raise suspicion as it may mean that someone is trying to find out more information about your network. To stay protected, simply turn off automatic image loading in your email preferences. There are also web extensions you can install that will warn you if your pixels are being tracked or will block them all together.

In addition, the Check Point Anti-Spam & Email Security Software Blade protects customers from falling victim to such scams. Its multidimensional approach protects email infrastructure, provides highly accurate anti-spam coverage, and defends organizations from a wide variety of virus and malware threats delivered within email. In addition, SandBlast™ Agent with Zero Phishing™ technology protects organizations from new and unknown phishing sites, as well as from malicious documents and links delivered via email.