Imagine you walk into a shopping mall and a stranger starts following you around the place. They make detailed notes of what stores you visit. If you take a promo flyer, they try to look over your shoulder to see if you read it closely enough. When you’re in a store, they use a stopwatch to measure the exact time you spend at each shelf. Sounds absurd and somewhat obnoxious, doesn’t it? Unfortunately, that’s exactly what happens every time you visit a major website, view e-mail from online stores or services, or use their official mobile apps. The person with the stopwatch is analytics systems connected to virtually every website, application, and e-mail campaign.
Why do companies need this data? There are several reasons:
- To know your preferences better, and to suggest products and services that you’re more likely to buy. This is where the annoying bike ads come from, following you around two months after you visit a cyclists’ website;
- To add more effective text and images to websites and e-mail messages. Companies test various caption, header and banner options, choosing the ones which customers focus on more;
- To identify the most popular sections of a mobile application or website, and how you interact with them;
- To test new products, services, and features;
- To sell user behavior and preference data to other companies.
In a detailed Securelist post, we examined the statistics on the busiest of “spies”: Google, Microsoft, and Amazon – the hungriest for (your) data by a wide margin.
How web beacons and tracker pixels work
The tracking activities described above are based on web beacons, also known as tracker pixels or spy pixels. The most popular tracking technique is to insert a tiny (so tiny as to be practically invisible) image – sized 1×1 or even 0x0 pixels – into an e-mail, application, or web page. When your screen displays information, your e-mail client or browser requests to download the image from the server by transmitting information about you, which the server records: the time, device used, operating system, browser type, and page the pixel was downloaded from. This is how the operator of the beacon learns that you opened the e-mail or web page, and how. A small piece of code (JavaScript) inside the web page, which can collect even more detailed information, is often used instead of a pixel. Either way, the tracker is not visible in the e-mail message or on the website in any way: you simply cannot see it. Yet such beacons placed on every page or application screen make it possible to “follow you around” by tracking your navigation route and the time you spend at each stage of that route.
Cybercriminals and web beacons
Marketing agencies and tech companies are not the only ones that use web beacons: cybercriminals use them too. Web beacons are a convenient way of conducting preliminary reconnaissance for targeted e-mail attacks (spear phishing, business e-mail compromise). They help cybercrooks find out what time their victims check (or don’t check) their mail to choose the best time for an attack: it’s easier to hack users’ accounts or send fake e-mails in their name while the user is offline.
User information, including behavior and interest data, can get leaked in the wake of a hacker attack. Even market leaders such as Mailchimp, Klaviyo, or ActiveCampaign, sometimes experience these kinds of leaks. The stolen information can be used for various scams. For example, hackers that attacked Klaviyo stole lists of users interested in cryptocurrency investing. A specialized phishing tactic can then be used to target that audience and swindle them out of their crypto.
Protecting yourself from tracking
We cannot control leaks and hacks, but we can make sure that tech giants’ servers collect as little data about us as possible. The tips below can be used separately or combined:
- Block automatic loading of images in e-mail. When you set up e-mail on your phone, computer, or in a web-based client, make sure you enable the setting that blocks automatic image display. Most e-mail makes sense even without the pictures in it. Most e-mail clients add a “show images” button right above the e-mail body, so loading the pictures if you really need to takes just one click;
- Block web trackers. Most web beacons can be prevented from loading. You can find Private browsing settings in Kaspersky security products. The Firefox browser lets you enable and fine-tune Enhanced Tracking Protection. Specialized privacy plugins are available in the Chrome, Firefox and Safari catalogs of officially recommended extensions. You can find these by entering privacy or tracking protection in the search bar;
- Protect your internet connection. Tracking protection works well at operating system or home router level. If you block web beacons on your router, they’ll stop working not just in your e-mail and on web pages, but also inside applications and even on your smart TV. To do this, we recommend that you enable Secure DNS in the operating system or router settings, and specify a DNS server that blocks trackers. A VPN connection can sometimes provide tracking protection too. If this is the handier option for you, make sure that your VPN provider does in fact offer a tracker blocking service.