Most people live under the assumption that email is immutable once delivered, like a physical letter. A new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing.
Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.
Described in more detail in a recently published security advisory, Mimecast has been able to add a defense against this exploit for our customers and also provide security recommendations that can be considered by non-customers to safeguard their email from this email exploit.
So what is ROPEMAKER?
The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.
Clearly, giving attackers remote control over any aspect of ones’ applications or infrastructure is a bad thing. As is described in more depth in the ROPEMAKER Security Advisory, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users. ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.
Into this, post-delivery (without having direct access to the user’s desktop):
To date, Mimecast has not seen ROPEMAKER exploited in the wild. We have, however, shown it to work on most popular email clients and online email services. Given that Mimecast currently serves more than 27K organizations and relays billions of emails monthly, if these types of exploits were being widely used it is very likely that Mimecast would see them. However, this is no guarantee that cybercriminals aren’t currently taking advantage of ROPEMAKER in very targeted attacks.
For details on email clients that we tested that are and are not exploitable by ROPEMAKER and the specifics on a security setting recommended by Apple for Apple Mail, please see the ROPEMAKER Security Advisory.
Is ROPEMAKER a software vulnerability, a form of potential application abuse/exploit, or a fundamental design flaw resulting from the intersection of Web technologies and email? Does it really matter which it is? For sure attackers don’t care why a system can be exploited, only that it can be. If you agree that the potential of an email being changeable post-delivery under the control of a malicious actor increases the probability of a successful email-borne attack, the issue simplifies itself. Experience tells us that cybercriminals are always looking for the next email attack technique to use. As an industry let’s work together to reduce the likelihood that the ROPEMAKER style of exploits gains any traction with cybercriminals!
by Matthew Gardiner for Mimecast
Words matter. People may not read everything, but they do scan. And they process information subconsciously at lightning speeds to determine if they’ll click or bounce within a few fractions of a second.
While some words (like “Submit” on your button) may seem innocent enough, they could be costing you dearly, turning away visitors in droves.
Here’s why, along with a few other conversion-sabotaging words you need to replace in your e-mails, ads, and landing pages ASAP.
“Submit” is a derivation of submission. And therein lies the problem. There’s a negative connotation with yielding to someone or something superior. People, as a general rule, don’t like yielding.
This was proven definitively years and years ago by Dan Zarella and HubSpot. They took a look at the conversion rates of over 40 000 customer landing pages and quickly noticed a huge discrepancy.
When call to action (CTA) buttons included the word “submit,” conversion rates tended to drop immediately by a few percentage points.
Use words like “click here” or “go” instead.
What’s the fastest way to learn terrible copywriting? Get an MBA.
Because in just a few short weeks, you’ll find yourself spewing out “synergy,” “competencies,” and a host of other clichéd, meaningless words that have old professors nodding their heads in approval.
As evidence, go visit almost any B2B website outside of marketing and advertising. Your eyes will glaze over, your face will contort, and a sudden bout of narcolepsy might hit at any moment.
Many times, clients and bosses don’t notice anything wrong at first either. The problem with “best in class” and all other common business jargon (besides the fact that it also appears on every competitor’s Web site) is that customers can detect that the company is talking nonsense.
Research shows that people prefer things that are easy to think about to those that are hard. Generally, the level of reading comprehension is low. People aren’t focusing or reading online; they’re scanning and multitasking and browsing and tweeting while looking at your page.
Rewrite anything with the faintest resemblance to what you learned in school.
Consumers are bombarded with hundreds of “greymail” e-mails each day. Trillions are being sent by marketers each year. So you’d think, logically speaking, that assuring visitors you won’t spam them would help conversions. Unfortunately that’s not the case. “Spam” is a huge stop word — or no no — that causes
people to become apprehensive and hesitate.
A test carried out by Michael Aargaard showed the surprising ramifications. He added the seemingly harmless line of “100% privacy — we will never spam you” in between the form fields and submission button.
Typically, these extra credibility indicators surrounding a CTA can help to give conversions a nice little boost. But not in this case, and it backfired by over 18%.
Try assurances like “Your information will not be shared.”
Avoid words with a negative connotation (as we saw with “submit”) in general, and use additional messaging to reinforce the positive aspects of what someone is about to get.
“We” opens a door. It’s like the gateway drug of bad copywriting. One small hit, and you’re quickly off to dabbling with bigger, badder things.
While it might seem harmless at the time, “we” puts you on a path to jonesing for a fix of “synergy” and “best in class” in no time.
But keep in mind, that as a general rule, people don’t care about you. Instead, they want a “better version of themselves.”
This is especially so for all those visiting your site at the top of the funnel, who haven’t realized a need for your product or service yet. They’re Googling solutions for drilling a hole in their wall so they can hang a picture… they’re not looking for a drill (just yet).
That means the focus of messaging should be centered around a problem and solution, not a tool, product or service.
Instead of “we” begin with “you” or don’t use a pronoun at all (like a question or a command/call to action).
The copy on most web sites is written in the second person. And that’s a good thing! Copywriters are taught to use “you” instead of “they” when explaining the benefits derive from the latest product or service.
However, there are exceptions. When focusing on a CTA or specific conversion event, the “possessive determiner” should switch back to first person.
Another test from Michael Aagaard proves the point. Michael initially thought that “your” in the CTA button copy would work best. But he found an almost a 25% difference, just by switching a single word – from “your free trial” to “my free trial”.
Switching to “my” gives people ownership of the benefit they’re about to receive.
You’d think, on the surface, that “free” increases conversions. And it does in most cases. The last example a few seconds ago used a “free trial” to generate more interest (and clicks). But there are exceptions.
The first (albeit tiny) issue is that the word “free” can trip up spam filters in email messaging. The second, bigger problem though is a curious case of over-optimisation. The problem is that more conversions isn’t always better. A Totango study showed that 70% of the people who sign up for free trials are useless, with
only around 20% of those actively evaluating the product.
So while the word “free” can (and will) increase initial conversions, you should be optimising for sales and revenue — not vanity metrics like leads or impressive (but hollow) conversion rates.
‘Save time and money’
So far we’ve seen that vague, meaningless, overly generic phrases are bad for conversions. The culmination of them all — the cherry on top and the pièce de résistance — is “save time and money”.
This phrase breaks one of the very first rules of copywriting that says you should write to a particular audience.
Roll up your sleeves and dig a little deeper into who you’re speaking to, and what they value most.
The key is to ferret out those few ingredients that make your offering awesome & unique, which both audiences value. You want the stuff that overlaps, which will help you create a specific value proposition that reinforces your primary aim (of driving conversions), while avoiding the same generic message showing up on each of your competitor’s Web sites.