When you look at files from your cloud, are they looking back at you?

When your users look at files served from your cloud platform, files that have tracking pixels could be looking back — revealing more than you should to outsiders about users and infrastructure. Security researchers are finding tracking pixels implicated in attacks on enterprises. So, if your IT workloads are on a cloud platform, you should add pixel tracking to your list of cloud security issues. Here is how pixel tracking works and how attackers are co-opting this marketing tool to compromise security at enterprises.

Tracking pixels – also called web beacons, tracking beacons, and web bugs – are useful marketing tools. Digital-marketing experts use tracking pixels to measure several aspects of email and web advertising campaigns [i]. A tracking pixel is an image file like a Gif or PNG that also sends a string of code to an outside website. To prevent users from noticing they are being tracked, the images are usually only one pixel in size, hence the name “tracking pixel.” Besides being tiny, tracking pixel images can be set to the same color as the background of an email or web page so they won’t be noticed by users.

The pixel’s code pings a website when a user downloads the image. The tracking code can be as simple as <img src=”http://server/cgi-bin/program?e=email-address”>)[ii]. A pixel’s tracking code can also be written to capture information such as IP addresses, hostnames, operating systems, Web-browser types, dates the image was viewed, use of cookies, and other information [iii]. While marketers use this information to fine tune advertising, criminals can also use the information to identify cloud-platform components to look for known software vulnerabilities they can exploit in a later attack.

In phishing attacks, tracking pixels can be used to learn which recipients are most likely to open scam emails. Since some scammers retool mass phishing attacks against random users to target high-value enterprise users, scammers are turning to pixel tracking to increase the odds a spear phishing attack will succeed [iv]. Our security researchers have already discovered tracking pixels being used in the wild as a surveillance tool to gather information for use in phishing scams.



Last August, our security research team reported capturing the image above from a phishing email. The red x placeholder images outlined in red show the intended placement of tracking pixels that were prevented from downloading.

Tracking pixels threatens privacy in more than emails and web pages. For well over a decade, it has been understood that you can utilize tracking pixels in Microsoft Office files like Word documents, Excel spreadsheets and PowerPoint presentations. This works because Office files can link to an image located on a remote Web server. Putting a tracking pixel in an Office document allows you to be able to track a document’s activity as it moves through an organization.

So far, tracking pixels have not been found to be the direct cause of any specific security breaches. Rather, their surveillance capabilities are enablers for subsequent attacks against users and infrastructure. To counteract this threat it is advisable to deploy email and anti-phishing security controls as part of your cloud-security arsenal.

In addition, keeping all software running in your cloud environment patched is advisable. Web application security that will protect any unpatched software residing in your cloud environment is also a good idea as well as deploying robust intrusion prevention.

As a good rule of thumb before you download pictures in advertising emails, take a look to see if you find any anomalous image placeholders. They could be pixels that want to look back at you.


[i] Network Advertising Initiative, Understanding Online Advertising,  as seen on 11/15/16, https://www.networkadvertising.org/understanding-online-advertising/glossary

[ii] How to avoid image blocking in emails. Web Target as seen on 11/15/16 http://www.web-target.com/en/email-how-to-do/509-avoid-image-blocking-email

[iii] Web Buggery: Analyzing Tracking Images, Irongeek.com, as viewed on 11/15/16, https://www.irongeek.com/i.php?page=security/webbugs

[iv] http://blog.checkpoint.com/2016/09/08/pixel-tracking-a-hackers-tool/