When Fraudsters Use Our Own Tools Against Us

URL Tracking Systems
Share Button

Many new email tracking services have emerged over the past few years. These services help marketing teams determine if their email marketing campaigns have been successful by analyzing the number of opened emails and user click-throughs. As these tools have matured, they have also begun to offer more analysis capabilities that help marketers extract relevant data about their target audience, market segmentation, habits, and so on.

But now, fraudsters are adopting the same email tracking methods as a way to check the efficacy of their attacks.

We can divide an attack’s launch into two stages. The first starts with the infection vectors used to spread the threat on behalf of a well-known company, bank, or even government entity, and ends when the fraudsters have obtained information about the propagation of their malicious campaign. Some commonly used methods for this first stage are email phishing, fake advertisements, fake social media profiles, etc. The second stage is execution, which begins when the victim has been exposed to the fraudulent content. In this stage, the victim is exposed to the threat and encouraged to provide information or open malicious payload-embedded files. However, this does not mean that the target has provided sensitive information or downloaded the spiteful content.

URL Tracking Systems
Figure 1. URL tracking life-cycle

The methods used to track an attack during its distribution are quite simple. Usually, fraudsters create or use open source tools that modify the URLs attached to each email, adding an extra parameter. Depending on the attack’s level of sophistication, this can be the hardcoded email, a codification of it, or even just a token designed for the URL.

One example of a URL tracking system is the well-known malware Hancitor (Figure 3 shows a real phishing email used in a Hancitor attack), which embeds a 64base codification of the targeted email in the malicious URL to track the success of a phishing email.


URL Tracking Systems
Figure 2. A phishing email spread in United States with tracking functionality

URL Tracking Systems

URL Tracking Systems
Figure 3. Two different phishing emails targeting customers from well-known banks in LATAM

Our investigators have detected that this technique is being used worldwide. In Figure 2, we show a case in United States, though customers of some of the major banks in Latin America are also being targeted with email messages that contain tracked URLs. In Figure 3, we see two different malicious URLs, each one with a different kind of “token” or “tracking parameter”, demonstrating the fraudsters’ skills and modus operandi.

The emails above highlight how the phishing sites spread, as well as key details of the emails, such as persuasive messaging and catchy email subjects.

These tracking tools are not always implemented, but, when they are, they allow attackers a better view of potential victims. Fraudsters can study their profiles, habits, needs, and common patterns to find the best way to spread a threat. This is where a tracking method becomes useful in determining information such as the email addresses that received the message and accessed the malicious content, the web browser used to open the attack, the number of clicks that users made, the victim’s location, etc. Using all this data, an attacker can easily segment their victims and boost their strategy for a successful malicious campaign.

URL Tracking Systems
Figure 4. Extracted information from a real attack, which tracks users during the distribution stage

Figure 4 shows a graph that demonstrates the information received from the analysis of an attack in Brazil in which the attackers gained information from users. We can see that the data extracted allows the fraudsters to easily determine victims’ use of web browsers so they can prioritize browsers for vulnerabilities exploitation.

Finally, after the end user has been deceived, attackers apply metrics and statistics to their campaigns. Fraudsters generally build reporting tools directly into their creations to gather information about the affected end customers, the state of their machines, location, and reports with the stolen information. For example, Figure 5 shows the main screen of the Zeus banking Trojan, which presents a brief review of the botnet’s status. By adding an extra layer to track the effectiveness of the actions taken during the distribution of any malicious material, attackers can glean a lot more information about the targeted public, usage trends, and habits, which in turn can be used as direct feedback to improve further actions.

URL Tracking Systems
Figure 5. Fragment of the control panel of the banking Trojan Zeus


  • Using tracking tools during the distribution stage of any malicious content allows fraudsters to measure the effectiveness of their campaigns and use this knowledge to improve their fraud strategies.
  • Next time you access a link embedded in a suspicious email, be aware that you could be giving fraudsters more information than you think.
  • Though email campaigns seem quite simple to run, their design reveals well-organized group behavior. It is evident that they are measuring their Return on Investment (ROI), as is done in the largest legally established companies.


Always verify the sources of any received document, in case you find something suspicious (badly written emails, generic messages, or information that doesn’t match your profile), and install antivirus solutions to double check any downloaded file. Never accept the execution of any software if you didn’t start it. Never trust unknown email sender addresses.

Secure your customers by implementing email domain validation techniques that protect them from company impersonation. This will also allow you to improve your email domain reputation.

Related Posts

Expert Video Series: Leo Taddeo In our new series, Expert Video Series, we speak with cybersecurity experts about their perspectives on the fraud landscape. Our first videos in the series feature Leo Taddeo, the Chief Information Security Officer of Cyxtera Technologies. We talk to Leo about his experiences as a Special Agent in the Cyber/Special Operations Division of the FBI, his perspectives on the...current state of fraud, and his advice to organizations looking to improve their cybersecurity strategies.   To find out more about how your organization can create a strong anti-fraud security plan, click here.
Video Blog: Malicious Browser Extension Cyber fraud is always evolving, and criminals are always looking for new ways to monetize vulnerabilities in online systems. The latest trendy target: Browser Extensions.

Leave a Reply

Your email address will not be published. Required fields are marked *