A talented security colleague came across a tweet from a company called Yesware and remarked to me that it could be construed as spear phishing with specific language for legal protection. I can see his point, but in pedantically technical language, no, this is not spear phishing. Yesware certainly could be a tool in a spear phisher’s toolbox, but that is not what it is designed for.
Is Yesware Spyware?
As a 16-year veteran of cybersecurity, specializing in malware, my opinion is that Yesware is stealth spyware used for cyberstalking. Yesware employs hidden tracking cookies to report to a salesperson that you have opened the email they sent you – whether you opened the email on a desktop or on a mobile device, and to track many other activities. Of particular concern is that an email client explicitly configured to block read requests in an email client is deliberately circumvented. I believe that a program designed to evade privacy defense mechanisms in order to obtain personal information constitutes spyware by any working definition of the word. If my contention that Yesware is spyware is accepted, then the logical conclusion is that the customers of Yesware are using spyware, as intended by the author of the program.
Is the use of Yesware Cyberstalking?
Once again, my considered opinion is yes. That is also the picture Nick Tommarello paints in his blog titled “How to Block Being Tracked by Yesware”. Nick does not go as far as calling it cyberstalking, but he does say:
“But it’s a bit awkward when a friend goes, “Dude! I saw you opened my email yesterday! When the hell are you going to respond?! And what were you doing in New York?!”
Regardless of whether or not you would call Yesware cyberstalking, At least in the United States, Yesware is not breaking any laws – yes, their actions are legal. The analogy I would use is that a licensed private eye is a professional, whereas an unlicensed psychopath is a stalker.
Mr. Tommarello advises that the easiest way to block Yesware is to have your client set to disable images. This approach has significant benefits that go far beyond Yesware. However, this is not the approach Mr. Tommarello uses. He wrote a Microsoft Exchange rule that scans emails for images linking to yesware.com, deletes the messages, and returns email asking for the message to be resent without tracking.
Others have suggested adding “127.0.0.1 app.yesware.com” to your “hosts” file. Step-by-step instructions for modifying the “hosts” file, specifically to block Yesware, have been posted on the Lacuna Blog. Neither Exchange rules nor hosts file modifications are scalable as there are several such services, and more are certain to be created.
It Never Worked With My Parents
There is always the “But all of the other kids are doing it” defense. Did you ever try that? How did that work out for you?
Yesware may respond that I am singling them out for engaging in what is in fact a widespread practice – mea culpa – Bananatag, DidTheyReadIt, and several other such “services” do the same thing. Therein lies the problem. Spyware that should be illegal is not, and a well-funded industry is certain to prevent legislation to block its spyware and cyberstalking.
What You Can Do
There is nothing you can do to prevent most of the tracking on the Internet, but you can prevent people from tracking many email-based activities. The most scalable methods are to block images in email and to block local storage objects (LSOs). LSOs can be used legitimately, but they frequently are used for stealthy tracking and may reside in images included in email. In a blog at IT Toolbox.com, Craig Borysowich has some suggestions for enterprises.
Remember: That salesperson who shook your hand, asked how your spouse and kids are doing, and wished you a Merry Christmas (ironic) may have sent you spyware in your email communications.
Research Director Randy Abrams brings a wealth of experience in malware and virus research to the NSS Labs team. Previously, he was the Director of Technical Education for six years at ESET, a global antivirus company, and from 1993 to 2005, worked at Microsoft where he developed and managed the processes to prevent their software from being released with malware.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.