Spyware :: Threats :: Web Bugs




What are WebBugs?

A web bug is normally a graphic placed within a webpage or email message. They are typically 1 pixel by 1 pixel transparent image (clear gif) hence making them invisible to the user, they do this to hide the fact the there is some monitoring going on. The monitoring can be carried out because the image is required from an external server. Whereas this may seem like not much of a privacy issue, it is possible to use web bug to find out if an how many times an email was read, at what time, the IP address and further information. This is particularly worrying with the increase in Spam (unsolicited email) messages being sent. Spammers can use Web Bugs to their advantage to find out immediately which of their bulk messages have been read, therefore revealing if the email address is being used (active). Active emails are usually sold in bulks to other spammers and are valuable to them.

The graphic used doesn't need to be invisible on the page, it could be any image if it's used for monitoring. However they are not only used within email, websites can make use of web bugs for many reasons. Typically, because the graphic is obtained from an external server, This means this server will have access to it's cookies stored on the users system (using 3rd party cookies). Therefore some advertising companies can make use of Web Bugs to find out what site you've visited. Web Bugs may also be used within websites to provide an independent counter.

In theory it would also be possible to place a web bug within a Word Document as it allows html within a document and also allows images to be retrieve from an external server. This could be useful maybe if the document was supposed to be kept private. You could in theory find out if the document had 'leaked' by finding out how many different ip addresses had looked at it.

Web Bug Example

Below is an example of a web bug I found simply searching though my Spam email for a few minutes.

<IMG SRC="http://www.rd00.com/rd.php?amp;sid=GMP30198306&lid=10324" WIDTH=1 HEIGHT=1 target="_blank">

It can be seen that the 'image' to loaded comes from an external server. www.rd00.com. No doubt that the sid and the lid arguments that get transmitted along with the image using PHP can be used to uniquely identify my email address. So the spammer could easily find out that I have indeed read the message and therefore mark me as active and send me more messages in the future.

Test

To examine just how easy it is to send a Web Bug within an email I'm going to send an email to myself and check to see if the time accessing the Web Bug actually corresponds to the time I opened and read the message.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD></HEAD>
<BODY>
<IMG height=1 src="http://www.adoko.com/mybug.gif" width=1 target="_blank">
This email tests the use of a Web Bug.
</BODY>
</HTML>

The body of the email contained the code given above. I used a 1x1 gif file (although is could have been a visible image). I sent the email at 9:00am and viewed the email twice once at 9:40am and again at 9:45am. All I have to do next was to search though my log files for my domain, to see exactly what information I can find out about mybug.gif. Here are the results;

2003-06-02 09:39:13 W3SVC110 NTXPW04 212.227.124.8 GET /mybug.gif - 80 – 212.24.161.236 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) - -

The log file gave plenty of information, the first line contained the time I read a mail, the 3rd line give the location of the image and the image name requested of my server, although if this was used for mass mailing you could use php or asp send back the image and append a unique number as an argument. The fourth line gives my IP address along with my browser and operating system info. Immediately you can see just how useful this could be for spammers, or for someone wanting to find out my ip address without the recipient even needing to reply to the message. It could also be used by an organisation to find out how many time an email address has been opened and forwarded.

Prevention

Web bugs are difficult to protect against for a number for reasons, the very nature of html code allows linking of content from external servers. Linking between pages is partly what has made html so successful. So preventing content from external servers would seriously restrict your browsing. Also most servers have the facility for creating log files, normally these files log every request from the server by stating the time, destination ip, file requested, and browser/operation system information. Web Bugs really make use of a system that's already in place. Also invisible gifs do have a valid use as they can be used for alignment purposes, sometimes called spacers to correctly position text or images accurately on a webpage. Normally these gifs are easy to differentiate from a web bug because a web bug will come from an external server.

Ways to Prevent Web bugs

Find out what information about my system is sent by my browser?.