this post was submitted on 22 Mar 2024
19 points (91.3% liked)

cybersecurity

3376 readers
15 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 2 years ago
MODERATORS
 

An HTML-only email from a gov agency has a logo referencing an URL that looks like this:

https://1wy1y.mjt.lu/tplimg/1wy1y/f/l9hl7/g3q3v.png

It’s not exactly that (apart from the domain) but of course it’s rather unique looking. They send email routinely. The initial emails had an obviously non-suspicious basic logo, like “(their office domain)/files/logo.png”. But then later they switched and every message from them is the URL in the mjt.lu domain. It’s not unique per message but it could be unique to the user, perhaps to keep tabs on when each person reads their messages.

The output of torsocks curl -LI looks like this:

HTTP/2 200
date: (exactly now)
content-type: image/png
accept-ranges: bytes

That’s it. It’s the shortest HTTP header I’ve seen. There’s no content-length. I find that suspicious because if this is a service that facilitates tracker pixels, then they would want to withhold the length in order to dodge detection. Although from its usage in my case it wouldn’t just be a pixel -- it’s a logo.

The date is also suspect. Shouldn’t the date be the date of the object, not the current time this second?

Are there any other checks to investigate this?

you are viewing a single comment's thread
view the rest of the comments
[–] stevedidwhat_infosec@infosec.pub 4 points 9 months ago (1 children)

Honestly without a copy of the email file with all the information included I’m not sure what’s going on here based off your description. You say they have a logo “referencing” this oddball url (btw it’s a hosting company, seems they’re owned by OVH in France)

What does referencing mean exactly? Are you saying this url is the source listed in the email of the logo/tracking image?

It’s possible thats the logo is used for tracking but I wouldn’t go drawing any conclusions outside of that hypothesis. Tracking pixels are pretty commonplace in emails both by businesses and by govts. Why? Because the communications and outreach folk care about metrics like how long you read an email and if you made it to the bottom or not, etc.

Based off what I do see here/understand in your case, this does seem to be a tracking pixel, but I can’t stress enough not to let your mind run off and start making further assumptions based off this singular fact.

Don’t let worry/anxiety blur any lines in your head between what you know and what you suspect/predict.

- An infosec guy who has talked to waaaaaaaay too many people struggling with schizophrenia/paranoid delusions/etc

[–] coffeeClean@infosec.pub 4 points 9 months ago* (last edited 9 months ago) (1 children)

What does referencing mean exactly?

Sometimes HTML email comes with the logos and objects needed to render it, sometimes not. When the objects are included it’s possible to render the message while offline. In the case at hand, the logo was not included and the HTML body defined a logo with that unique URL inside img tags.

In the very least, if we assume the tracking is appropriate and that it’s consistent with the privacy policy and ToS I agreed to, I would still find it objectionable that a government would conceal the fact that they are using a tracker pixel/image by withholding the content-length header. The gov should be transparent about what they are doing. They should even disclose in each such message “we have a tracker pixel in here”, for transparency which should not be an issue if it’s legit. I personally need the content-length header because I’m on a shit internet connection and have a need to know how big something is before I fetch it. So I’m disturbed that all Cloudflare sites (which is like ½ the web now) withhold the content-length header. The agency at hand is sloppy with privacy and probably sloppy with everything. It’s not necessarily malicious but nonetheless I’m not going to lower the standard by which they should be held to.

[–] stevedidwhat_infosec@infosec.pub 2 points 9 months ago

Right right, I know how html tags and all that works just wanted to make sure we were for sure both talking about the same thing that’s all. Wasn’t verbiage I normally see so I verified quick

And this 2nd part you have here makes total sense with me and I fully agree, just wanted to make sure I wouldn’t be inadvertently causing any harm to you if you were struggling with paranoia or anything like that, that’s all. Hope I wasn’t coming off as too dismissive!!