Exfiltrate email address over http

Question

I have seen exfiltrate email address over http in our web logs. The typical URL pattern are:

• hxxp://54.81.149.159/[email protected]&r=0
• hxxp://54.81.149.159/usjo4qgq?r=0
• hxxp://54.81.149.159/eeje4cbk?d=$fromEmail&r=0
• hxxp://54.81.149.159/mfat4fqa?d=%7b%7blead.Email%20Address:default=noemail%7d%7d&r=0

I have seen those URL patterns on several other IPs as well. The reverse lookup of all IPs says, they belong to amazon ec2.

I was initially suspecting this is related to amazon SES service, but could not find any concrete document to relate the URLs. Does anyone know what this is?

Answer 1

These URLs are related to email tracking. Different email marketing products/campaigns have various templates to create tracking URLs. Most of them are hosting their service in AWS EC2 cloud platform.

I have seen the top url patterns from above IPs have similarity to marketo webhooks, which allows you to have real-time performance measurements. One of their URL tracking template is consistent with our top observed URL patterns. There are other email campaign management systems offered by responsys.com, sharecomm.org etc.

Another email tracking service provided by litmus is using the same range of IPs and I have found emltrk.com.

The conclusion is the company offering the email marketing service hosted on EC2 has not configured their email campaign tracking URL securely(https), and hence we observe the email on the URLs. This email tracking URLs are not malicious, and only use to generate performance measurements(KPIs) on the email campaign. Further, this is not part of Amazon SES, because 1. AWS services use different DNS naming, 2. SES uses secure connections, 3. reverse DNS has the format of outsourced EC2 service.

Some evidence to prove the hypothesis:

1. Number of users Vs flows with unique emails, shows majority of users have very limited number of flows. Observing the users with large number of flows showed that they are proxy users. Hence this is not generated by PUA or machine generated.

2. UserAgents of the URLs are MS-Outlook, this confirms this is generated from the mail client.

3. Forum discussion of modification of email taking code

http://developers.marketo.com/blog/integrating-slack-with-marketo/

https://litmus.com/help/analytics/how-it-works/

How does Litmus track their email analytics?

Track mass email campaigns

Answer 2

I have experienced this traffic also, and after digging into it a couple of days, I found this string: /gf7lo8kd?d=<div class=eloquaemail>EmailAddress</div>&r=0

If you google eloquaemail you'll find out that it's marketing automation campaigns from Oracle Eloqua.

Answer 3

Amazon EC2 is a virtual hosting environment. An IP address allocated to EC2, as evidenced by the *.*compute*.amazonaws.com hostname in reverse DNS is, most likely not providing an official product offered by Amazon Web Services (AWS), but is more likely to be assigned to a virtual machine (or cluster of virtual machines) that an Amazon customer has leased, to deploy their application. Some AWS official services do run on EC2 and live in the same address space, but this traffic pattern is unrecognized by me.

Not all AWS services require HTTPS, but SES does, so that can be conclusively ruled out. Also, these requests look nothing like SES requests on the wire.

You appear to be dealing with an unscrupulous/lazy/unskilled developer of some kind of app or service that is popular with your users... or malware... or an internal developer using something installed on an EC2 server that is not appropriately secure.

Regardless of which of these the case might be, blocking these particular destinations (specific IP addresses) seems an entirely appropriate short-term security response to help you identify the real nature of the traffic.

A long term or subnet-level block is not appropriate, because any EC2 customer can change their IP address any time, which could leave you with legitimate services blocked when a legitimate service subsequently begins using the address.