Hackers using pixel tracking to build data for better phishing practices

A technique used by marketers and advertisers is now being leveraged by cybercriminals.

A technique used by marketers and advertisers to track web users and email recipients has been repurposed by cybercriminals and online spies as a way of discovering potential hacking targets, according to new security research.

“We’ve seen a lot more use of this tactic recently as a probing or information-gathering tool,” by phishers and other cybercriminals, Donald Meyer of Check Point Software Technologies Ltd., told CyberScoop.

Tracking pixels, or web beacons, are tiny images, one pixel large, that are downloaded when a user opens an email or visits a website. Because they’re so small, most users don’t even notice them. “Often the image is designed to blend into the background,” according to the Network Advertising Initiative, a trade association and standards group of the digital advertising industry.

Because of the way most email programs and web browsers work, tracking pixels, once downloaded, can collect and report information about the user, operating system, device, software and IP address. Email marketers can use this data to measure the effectiveness of their campaigns — by A/B testing two kinds of email blasts for example, and discovering which is opened more often. Advertisers can also use it to compile data about the hardware and software their targets employ.


But, as Meyer explained in a blog post Monday, everything which makes tracking pixels great for marketers and advertisers  — unobtrusiveness, automaticity and the amount of data captured — also makes them great for hackers’ reconnaissance.

“You can build a ton of ‘get’ requests into the image,” he told CyberScoop, to obtain information about devices on the network being targeted.

Phishing email using tracking pixels (outlined in red) Source: Check Point

Hackers trying to break into a network have to explore its architecture first to find points of entry and ways to move around the system undetected, explained Meyer. During this reconnaissance stage, an attacker will often send booby-trapped messages known as phishing emails to map out the network, locate potential weak points and figure out who in the organization is most likely to open suspicious-looking mail and click on links or attachments.

Unlike a full-fledged hacking attack, such a reconnaissance won’t involve any executable code, and will generally get under the security radar. Checkpoint recommends that email programs be set so they don’t automatically download images.


By sending emails equipped with a tracking pixel, Meyer said, a hacker can catalogue network IP addresses; track employees’ working hours; even A/B test potential phishing emails — working out which ones are most likely to be opened. They can also find out what operating system and other software is being used on certain machines — helping them identify potential vulnerable points for entry.

Tracking pixels can even be embedded in Microsoft Office documents and spreadsheets. If the emails or documents attached to them are forwarded around an organization, the hackers will get the same data about anyone who opens it.

“Hackers are always looking for the low-hanging fruit,” explained Meyer. “The information they can get [from a tracking pixel] helps them find it.”

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts