Proxying Exfil Data Through Images

Curtis Brazzell
6 min readJul 18, 2020

Intro

On the heels of my last blog when I discovered how to prevent all of my phishing emails from landing on any blacklists, I realized that sometimes Gmail, Microsoft 365, and possibly other email providers will mark an email as suspicious simply because an embedded tracking pixel doesn’t really reference an image at all. What if there was a way to reference a real image but also pass parameters through to a back-end? What if you could use trusted third party image hosting services at places like Google and Imgur to relay information across? Aside from phishing, maybe this same concept be used to avoid domain blacklists, Content Security Policies, and strict content filtering egress rules!

Some Background

An old trick used in both phishing and marketing campaigns everywhere is to use an HTML image tag that references a remote resource containing server-side code to log metrics, or even potentially capture hashes. These “images” are not really images at all and are rendered broken, but they’re designed to be invisible by typically only being 1 x 1 pixel in size. If images are rendered in your inbox by default (consider disabling this), the browser will make a subtle request to the sender to collect analytics about you such as your IP address, browser, OS, etc. The request may look something like this:

URL Containing Parameters to Identify the Campaign and the Target Recipient

In the example above, Gmail seems smart enough to recognize that this really isn’t an image at all and will (sometimes) mark the email as suspicious, showing the recipient a banner with a yellow warning message.

The Idea

Obviously you can’t pass parameters to a real image, but what if the server-side code at the URL above accepted the input from the parameters and responded with a content-type of a valid image instead? In my experiments this seemed to be more successful and I haven’t checked, but I’m assuming this is what marketing companies do instead of referencing URLs that aren’t really images in image tags. (Someone fact check me here)

Example of Server-Side Code Responding With a 1 x 1 Pixel Image and Throwing Input Into a Database

So all of this got me thinking, what would happen if I plugged my image address into sites that get…

--

--

Curtis Brazzell

Passionate geek for Information/Cyber Security! I’m always learning and am happy to contribute anything I can share with the community. Follow me @ Twitter!