General security

Tracking user activities using web bugs

Bhavesh Naik
November 25, 2013 by
Bhavesh Naik

We live in a world where we're connected to each other by a mouse click and a few keystrokes. It's a revolution that changed the way we live our lives and run our businesses. It affects us in ways that we had never imagined before.

The internet gave us the opportunity to have information delivered right on our monitors rather than going through books, which is time consuming. Businesses have always benefited from the use of the internet so that they're now able to offer their products and services online. People can purchase these through credit cards, and online banking systems (e.g. PayPal, Bitcoin) without even having to step foot into a store. Everyone has benefitted from the use of the internet, from the common man to large scale industries and organizations.

Our lives are connected to the digital world wherein people who use the internet call themselves "netizens." We all know by now that all netizens need not be on the good side of the law. There are a thousand or more cyber crooks, criminals, hackers, and script kiddies who use online services to target and disrupt lives of innocent internet users using various methods, such as:

  • Phishing
  • Exploiting web vulnerabilities like XSS, CSRF, Clickjacking , etc.
  • Zero day exploits
  • Authentication bypass related vulnerabilities
  • Spamming, etc.

In order to track the activities of malicious attackers, there are various methods which can be deployed on websites to monitor web activity. One such method is by using web bugs.

Web bugs are small images (e.g. .gif, .jpeg, .png) that companies and organizations use in their web pages, e-mails and other HTML supporting documents to track information about the users who are using their online web services.

Web bugs aren't always intrusive. For example, they may be used by companies to keep track of the number of hits their site is receiving each day, or total number of active users on a forum.

Whereas there are web bugs that are intrusive in nature. These web bugs can be used to track the internet activity of a user by logging data to a backend server.

Information collected when a web bug is viewed:

  • IP address of the client who visits the web page
  • The URL of the web page where the web bug is located
  • URL of the web bug image
  • Time when the web bug was visited/viewed
  • User Agent of the client who viewed the website
  • Previously set cookie value

How to find a web bug on a web page?

Most tech savvy web surfers know they are being tracked once they see a banner advertisement. But people cannot see web bugs, and anti-cookie filters don't catch them. So web bugs rnd up tracking surfers in areas online where banner ads aren't present, or on sites where people may not expect to be trailed.

In order to find a web bug, you need to look at the HTML page source code of the given target webpage. For demonstration purposes, we'll look into the HTML source of a webpage:

Check out the highlighted <img> tag in blue. You'll notice that the source of the image file isn't an image itself, but a PHP file.

Let's get back to the page view in the browser. To an ordinary eye, the page looks like this:

In order to see the web bug, you need to magnify the page by zooming. In Mozilla Firefox, press Alt > Press View on the menu bar > Select Zoom > Select Zoom-I. Repeat that procedure for five to eight times. Alternatively, you can also press the key combination "CTRL & +" repeatedly for five to eight times to zoom in. Now, hover the cursor over the website and click anywhere on the page. Press "CTRL + A" to select all the text within the web page. You'll notice a tiny dot in blue, highlighted on the webpage:

As you can see, these web bugs are one pixel sized images, which cannot be seen to the naked eye unless you zoom.

Unfortunately, even looking for these signs is no guarantee that you'll spot a web bug, since it could be on any image on the page.

Looking for web bugs in email messages:

The sender of the message already knows your email address. They also include the email address in the web bug URL. The email address can be in plain text or encrypted. For example, here are two web bug examples in the junk email below:

<img width='1' height='1' src="http://www.m0.net/m/logopen02.asp? vid=3&catid=370153037&email=test %40example.net" alt=" ">

OR

<IMG SRC="http://email.bn.com/cgi-bin/flosensing? x=ABYoAEhouX">

Placing web bugs into a web forum:

There are many web forums which allow users to place images in their posts and signatures. You need to look at the forum's documentation to see if they have a tag to insert an image into a post. One example would be:

code:

[img]http://w1.example.com/webbug.php[/img]

Certain forums look at the file type embedded in the tags, and then disallow you to insert images. There's a workaround for that issue. First, insert the filename followed by file type as an image file.

code:

[img]http://w1.example.com/webbug.bmp[/img]

Now, in your apache configuration, you need to set up a redirect. You need to add the following line in the httpd.conf file to do that:

code:

Redirect /webbug.bmp /webbug.php

Are all invisible images web bugs?

The answer to this question is no. Some invisible images are also used for alignment purposes on webpages. A web bug will typically be loaded from a different web server than the rest of the page, so they are easily distinguished from alignment images.

Uses of web bugs on web pages:

Advertising companies use this technique to add information to a personal profile of which sites a person is visiting. The personal profile is then identified by the user's browser cookie of the ad network. Later, this personal profile is stored on the advertising company's database servers. That determines which banner or ad is to be displayed to that particular user.

Another use of web bugs is to determine the exact number of people who visited a particular webpage, thread, etc.

Web bugs are also used to gather statistics about web browser usage at different places on the internet.

Use of web bugs in emails:

A web bug can be used to find out if a particular message has been read by someone, and if so, when the message was read.

A web bug can provide an IP address of the email recipient, if the recipient wants to remain anonymous.

In an organization, a web bug can be deployed to give an idea of how often a message is being forwarded and read.

Use of web bugs in the "junk" folder of a email service:

They're used to measure the number of people who've received the same email message from a marketing campaign.

They can be used to detect if the user has viewed the message in the junk folder or not. If not, then the messages are removed from the mailing list for future mailing.

They're also used to sync between browser cookies and the email address. This allows websites to know the identity of people who visit a site at a later time and date.

Privacy concerns related to web bugs:

Web bugs are controversial. Because web bugs allow people to be monitored by third parties, they can be upsetting. Most people will be troubled to learn that an outsider is tracking them when they read their email.

Web bugs are rarely mentioned in companies' privacy policies. The general practice of online profiling by third party ad networks should also be mentioned in privacy policies.

But privacy advocates see an insidious side to the tiny tag.

"The danger of that is that if you were going to a site on yeast infections, the second it loads up, before the screen loads, somewhere in the world the fact that you visited the site is now registered. That's the evil of web bugs," said Ira Rothken, a lawyer at the technology-oriented Rothken Law Firm, based in San Rafael, California.

The problem is magnified, he said, when a company can tie your cookie number to personal identifying information, such as a phone number and street address.

The other side of the coin is that web bugs, like cookies, can be useful. For consumers, cookies can store passwords and other sign-in information. For websites, web bugs can help better manage content by knowing what's effective. They also give online ad agencies a way to track campaigns when a banner isn't present.

According to http://www.policymic.com, since 2005, the FBI has been using web bugs that can gather a computer's internet protocol address, lists of programs running, and other data, according to documents disclosed in 2011. The FBI used that type of tool in 2007 to trace a person who was eventually convicted of emailing bomb threats in Washington, for example.

Preventive measures:

Preventing web bugs in email is pretty simple, just look in your email client's documentation for how to disable HTML email or block external images. Some web email services like Gmail disable external images by default, which is a good thing. Some newer mail clients are also set to default to not load any image from outside sites.

Completely blocking web bugs in regular webpages is close to impossible, barring disabling images altogether. Tools like Bugnosis ( http://www.bugnosis.org ) for IE, and the Ad Block ( http://adblock.mozdev.org/ ) for Firefox can be of some help by choosing to block known web buggers. Anti-spyware tools such as Ad Aware and Spybot Search and Destroy can help find and destroy the cookies left by some web bugs.

Creating your own web bug in PHP:

Save this PHP script as webbug.php. The script detects the OS, IP address, user agent, port address, language, and encoding type and stores them into a MYSQL database.

Note: Please modify the script and tables accordingly.

[php]

'Win95' => '(Windows 95)|(Win95)|(Windows_95)',

'WinME' => '(Windows 98)|(Win 9x 4.90)|(Windows ME)',

'Win98' => '(Windows 98)|(Win98)',

'Win2000' => '(Windows NT 5.0)|(Windows 2000)',

'WinXP' => '(Windows NT 5.1)|(Windows XP)',

'WinServer2003' => '(Windows NT 5.2)',

'WinVista' => '(Windows NT 6.0)',

'Windows 7' => '(Windows NT 6.1)',

'Windows 8' => '(Windows NT 6.2)',

'WinNT' => '(Windows NT 4.0)|(WinNT4.0)|(WinNT)|(Windows NT)',

'OpenBSD' => 'OpenBSD',

'SunOS' => 'SunOS',

'Ubuntu' => 'Ubuntu',

'Android'=>'Android',

'Linux' => '(Linux)|(X11)',

'iPhone'=>'iPhone',

'iPad'=>'iPad',

'MacOS' => '(Mac_PowerPC)|(Macintosh)',

'QNX' => 'QNX',

'BeOS' => 'BeOS',

'OS2' => 'OS/2',

'SearchBot'=>'(nuhk)|(Googlebot)|(Yammybot)|(Openbot)|(Slurp)|(MSNBot)|(Ask Jeeves/Teoma)|(ia_archiver)'

);

$uagent = strtolower($uagent ? $uagent : $_SERVER['HTTP_USER_AGENT']);

foreach($oses as $os=>$pattern)

if (preg_match('/'.$pattern.'/i', $uagent))

return $os;

return 'Unknown';

}

$osman=os_info($uagent);

//SQL connection

$con=mysql_connect("localhost","","");

if(!con)

{

die('Could not connect '.mysql_error());

}

mysql_query("use test;");

$sql="insert into test values('$ip','$osman','$port','$encode','$lang')";

mysql_query($sql,$con);

mysql_close($con);

?>

[/php]

Inserting the web bug into your webpage:

Use the following tag to insert the web bug in your website. Copy and paste the following HTML code into your web page.

<img src='webbug.php' width='1' height='1' >

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Sources

Bhavesh Naik
Bhavesh Naik

Bhavesh is a Certified Ethical Hacker and Security + certified. Currently, he is pursuing Final year BSc in Information Technology. The upcoming goal for him is CISSP. He is interested in cyber forensics, pentesting, information security. He wishes to do his Masters in Information Security in upcoming years.