Publications

Web beacons on websites and in e-mail

There is a vast number of trackers, which gather information about users’ activities online. For all intents and purposes, we have grown accustomed to online service providers, marketing agencies, and analytical companies tracking our every mouse click, our social posts, browser and streaming services history. The collected data can be used for improving their user interfaces or the overall user experience, or to personalize ads.

There exist various types of trackers meant for collecting different types of information: advertising (AdAgency) trackers, analytics (WebAnalytics) trackers, and so on. Most of these are largely used on websites and inside applications. There are more versatile trackers too, used on websites, inside applications, and even in e-mail. This article describes one of these tracker types: web beacons. We demonstrate what tracking systems’ and companies’ web beacons our security products (anti-tracking browser extensions and antispam technology) detect most often.

What web beacons are

Web beacons, or web bugs, also known as tracker pixels or spy pixels, among other names, are tracking elements used on web pages, inside applications and in e-mail for checking that the user has accessed certain content (opened an e-mail or visited a web page). Their main purpose is to collect statistics and build analytical reports on the user’s activities.

Web beacons on websites track visitors. Analytical marketing agencies or website owners themselves can use these to measure how well certain content or promotional campaigns performed, or how their audiences responded. Some websites use tracker pixels as watermarks for their content, for example, to track down illegal copies.

The main purpose of web beacons in e-mail, just as those on websites, is to count users who interact with the content. For example, tracker pixels can be used to make a report on e-mail open rates. These help companies to find out which e-mail campaigns their users find interesting and which they do not. For example, if an e-mail campaign sees declining open rates, the company may choose to either replace the subject with something more eye-catching or clickbaity, or on the contrary, make it more matter-of-fact and informative.

How web beacons work

A beacon on a web page is typically an image that loads from an external source. The size is usually one or even zero pixels, so invisible to the human eye. Hence the name: “spy pixel”. Additionally, the CSS display property can be set to “none” (do not display) to hide the image. Less common are JavaScript beacon implementations, such as Beacon API: an interface that allows sending requests to a server without expecting a response.

Example of web beacon location in the HTML code of a website

Example of web beacon location in the HTML code of a website

E-mail web beacons are implemented in a similar way: invisible images are placed within the e-mail body, or JavaScript code is added in an HTML attachment.

Example of web beacon location in the HTML part of an e-mail

Example of web beacon location in the HTML part of an e-mail

When the web page or e-mail is opened, a request is sent to the web beacon server. If the web beacon is an image the request is to upload this image. Otherwise it is a request specified in the JavaScript code, usually one that doesn’t require a response. The following information is typically communicated to the server:

  • Date and time of opening the web page or e-mail
  • Operating system version
  • Browser or e-mail client type and version
  • Screen resolution
  • IP address

Example of user data transmission

Example of user data transmission

The most common website and e-mail beacons

We have analyzed the web beacons detected by our systems in December 2022, and ranked twenty companies whose beacons interacted with our users while browsing websites or opening e-mail messages most often.

Twenty most common beacons on websites

This section uses anonymous statistics collected from December 1 through 31, 2022 by the Do Not Track (DNT) component, which blocks loading of website trackers. DNT, which is disabled by default, is part of Kaspersky Internet Security, Kaspersky Total Security, and Kaspersky Security Cloud. The statistics consist of anonymized data shared by users with their consent. We have compiled a list of twenty companies whose content DNT detected around the world the most frequently. One hundred percent represents the total number of DNT detections triggered by these twenty systems.

Most of the twenty companies according to DNT have at least some connection to digital advertising and marketing. For example, Aniview, in sixth place with 2.68%, specializes in video advertising. OpenX (2.19%), Taboola (1.63%), Smart AdServer (1.55%), and many others are advertising or marketing agencies.

Even tech giants, such as Google (32.53%), Microsoft (21.81%), Amazon (13.15%) and Oracle (2.86%), who lead in our rankings, operate marketing and advertising subsidiaries, and product enhancement is by far not the only reason why they use web beacons.

Twenty most common website beacons in December 2022 (download)

Twenty most common beacons in e-mail

This section presents anonymized Anti-Spam detection data from Kaspersky users’ devices. The Anti-Spam component is part of Kaspersky Security for Linux Mail Server, Kaspersky Security for Microsoft Exchange Server, Kaspersky Secure Mail Gateway, and Kaspersky Security for Microsoft Office 365.

Unlike the website beacons rankings, the list of the most common e-mail beacons is not dominated by the big tech: Adobe Analytics (4.49%) is eighth, and Google (3.86%) and Microsoft (3.18%) have even humbler shares. The fact that there is a fairly large number of companies specializing in e-mail marketing could explain that. These companies can be broken down into two categories:

  • Email service providers (ESP): companies that manage and maintain e-mail campaigns for their clients.
  • Customer relationship management (CRM): companies that specialize in building platforms for managing every type of customer communications at various stages in the sales process.

The tech giants own major advertising networks that are used by most websites, and hence their trackers dominate these websites, whereas ESP and CRM companies manage most e-mail campaigns, and so their trackers dominate e-mail. ESP and CRM beacons collect user data to track their responses to e-mail campaigns: the percentage of users who open the messages, how the open rate changes from region to region, and so on. Most of the beacons we detected in e-mail traffic were by Mailchimp (21.74%) and SendGrid (19.88%), two major American e-mail marketing players.

Besides ESP and CRM, our e-mail beacon rankings included the large Japanese online retailer Rakuten (5.97%), the business networking website LinkedIn (4.77%), the ride-hailing platform Uber (1.49%), and Booking.com (0.56%), a major accommodation booking service. These companies share their reasons for using web beacons with the ESP and CRM players: to evaluate e-mail campaign impact and collect aggregate user statistics.

Twenty most common web beacons in e-mail, December 2022 (download)

Conclusion

Companies strive to collect as much data on their users as they can, to add as much detail to each user profile as possible, so that they can personalize their offerings, and sell their goods and services more efficiently. Various tracking systems enable companies to track users on websites, inside applications, and in e-mail.

Rather than outsourcing these services, many large companies are able to set up advertising subsidiaries of their own, selling the same services as advertising specialists do. They often merge their information about users obtained from diverse sources to enrich and extend each user profile that they already have. Meanwhile, others use the services of the Internet giants, marketing agencies, ESP and CRM companies, helping these to amass even more data.

The user would find it sufficiently difficult, if at all possible, to track down where their data ends up. Even more, you sometimes may not even notice that data is being collected. Beacons on websites and in e-mail are invisible to the user, and companies that put them there give no warning, as opposed to cookies. The beacons, meanwhile, allow the companies to find out how many times the users visited the website, where they came from, and who opened the e-mail, when and where. By gathering all that information on a regular basis, one can get an idea of not just the user’s reaction to specific e-mail messages or landing pages, but also the user’s habits, such as when they typically get online.

If cybercriminals were to obtain that information, for example, as result of a leak, they could use it for their own purposes. In particular, they could try hacking your online accounts or send fake e-mail in your name if they found out your usual offline hours. Moreover, attackers use the web beacon technology too. It is worth adopting at least minimal anti-tracking measures to protect yourself from unwanted attention by companies, let alone cybercrooks. You can install a special browser extension that prevents loading of trackers on web pages and configure your browser for increased privacy. Many VPN services offer tracker blocking as an added feature. When it comes to e-mail, you can prevent images from loading automatically. Even if you do open an e-mail that contains a spy pixel, it will not be functional, as any images — a web beacon is an image too — will not load unless you explicitly permit it. As for more advanced JavaScript beacons, these are located in the attachment and only load once you open that.

Web beacons on websites and in e-mail

Your email address will not be published. Required fields are marked *

 

Reports

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Subscribe to our weekly e-mails

The hottest research right in your inbox