Possible to Get Malware by Just Opening an Email?

  • Thread starter kyphysics
  • Start date
  • #1
241
195
I've been getting emails from an "hq@bill.com" address that have looked suspicious. The titles usually say something like: "Invoice prepared for you and will become payment."

Usually, I just delete them. Today, my mouse/hand slipped and I accidentally hovered over and clicked onto that email. Once inside, I saw that it said that an invoice and bill payment were prepared for me and would be sent out and processed. There were links in the email to see for myself.

I never clicked on any links, nor downloaded anything. I only opened the email (by accident). Afterwards, I marked as spam and deleted the email. I Googled the sender and apparently some Google searches returned that this was possibly a known scammer that will download malware to your computer if you go to the links they send.

In my case, I never clicked any links, nor made any downloads. Would that mean my computer is safe? Thanks for your help.
 

Answers and Replies

  • #2
mathman
Science Advisor
7,956
498
Probably safe, but you should run malware and virus checks.
 
  • Like
Likes Astronuc, FactChecker, jim mcnamara and 1 other person
  • #3
Wrichik Basu
Insights Author
Gold Member
2020 Award
1,779
1,609
Would that mean my computer is safe?
Most probably yes.

Most email clients have an option "Mark as spam". If you mark this email as spam, then further emails from that address will automatically land up in your spam box, and you won't be opening them even accidentally in the future.
 
  • Like
Likes FactChecker
  • #5
Wrichik Basu
Insights Author
Gold Member
2020 Award
1,779
1,609
Running a new scan...but these take hours on my computer for some reason. ...so slow....!!
A full system scan will take hours. This is normal.
 
  • #6
341
238
It's possible if the e-mail had embedded pictures which are actually links to an external site, it's best to just not open the e-mail at all.
 
  • Like
Likes kyphysics and jim mcnamara
  • #7
241
195
It's possible if the e-mail had embedded pictures which are actually links to an external site, it's best to just not open the e-mail at all.
In Gmail (and all email accounts), I always set my display to not showing pictures/images without my permission.

I had really bad malware in the past and on a separate forum of computer science/programming experts, people said you should change your email image settings to not load them by default. Would that have avoided any issues here if there were what you called "embedded pictures" in my mail?
 
  • #8
341
238
That would certainly help. You can insert a "picture" made of an invisible pixel, it's too small to be seen and yet can still be used to redirect to a bad web page. It's a common tactic for scammers.
 
  • #9
241
195
That would certainly help. You can insert a "picture" made of an invisible pixel, it's too small to be seen and yet can still be used to redirect to a bad web page. It's a common tactic for scammers.
Sounds scary. But, let me ask this then. Suppose someone placed such an "invisible pixel" picture into that email I opened by accident. And suppose my don't display images setting didn't weed it out.

You're saying the image/pixel would still "load" ...but would it do anything from there if:

a.) I didn't click on it (although, I guess I wouldn't easily know if it's so small/invisible).
b.) I didn't see my webpage transition from the email to another page (I don't believe it did from my memory of things - I think I just deleted the email immediately).

Would you have to literally see your page go to that "bad web page" before anything bad would happen with these invisible pixel pictures?
 
  • #10
341
238
E-mails these days are generally delivered in the html format, the same format as web pages. Pictures in the e-mail can be included as part of the e-mail itself, or they could be a link to a picture on external web server. You do not need to actually visit/browse that other site, merely the act of loading that image can trigger the malware install. That invisible pixel if loaded is enough to infect you.

This is why Outlook has the "do you want to load pictures" messages at the top of e-mails.

These "invisible" pixels are also used to place tracking cookies on your computer by advertisers when you visit web pages.

If you want to be 100% safe, your can set e-mails to only show as text instead of html. That though will be counter productive as most e-mail will just be gibberish code. The internet was a much safer place before the web was invented when everything was just text :)
 
  • #11
jack action
Science Advisor
Insights Author
Gold Member
2,173
3,574
An email is basically a harmless text file divided into 4 sections (select 'View source' to see the text file):
  1. Headers
  2. Text version (Content-Type: text/plain)
  3. HTML version (Content-Type: text/html)
  4. Attachments (Content-Disposition: attachment)
From the email client's point of view, the headers should be pretty harmless, other than sending bad information (wrong date, wrong sender, etc.).

The text version of the email is also harmless, as any email client takes it as pure text. It may not be present though.

The HTML version, if present, is also harmless IF you do not allow remote content to be fetched. The email client will use the HTML for formatting but won't download anything from given sources (for example, images). The links will be clickable, but you are on your own if you click on them (It is the same thing as if you copied the linked address and pasted it into your browser). By clicking on them, the worst that can happen is most likely that they will know you clicked on them (by inserting a unique ID identifying your email in the query). But it can be worst (see stegosploit below).

The attachments are also harmless from the email client's point of view (just binary data, presented as text). But if you click on them the email client will send the data to the appropriate program (a PDF reader, for example) that will open them automatically. And that is when the problems can happen. The 'bad stuff' is done with this external program.

Would you have to literally see your page go to that "bad web page" before anything bad would happen with these invisible pixel pictures?
Just to scare you a little bit more, look for stegosploit:
"I don't need to host a blog, I don't need to host a website at all. I don't even need to register a domain," Shah told Motherboard during the demo last week. "I can take an image, upload it somewhere and if I just point you toward that image, and you load this image in a browser, it will detonate."
 
  • Like
Likes russ_watters
  • #12
anorlunda
Staff Emeritus
Insights Author
9,601
6,681
Below, you see the setting in Google's gmail.

1623072919008.png
 
  • #13
241
195
The attachments are also harmless from the email client's point of view (just binary data, presented as text). But if you click on them the email client will send the data to the appropriate program (a PDF reader, for example) that will open them automatically. And that is when the problems can happen. The 'bad stuff' is done with this external program.


Just to scare you a little bit more, look for stegosploit:
Thanks for the re:, JA. That's an interesting email breakdown!

By the way, I'm not 100% sure I understand what a stegosploit is. . .In the quote it says he can just upload it "anywhere" and then point someone to it. Like, what does that mean? Upload it ...on a webpage?...."Point" someone to it? Like, how? Tell them to go to that webpage?

As for downloads, what if you don't download the PDF file, but get like a preview/view of its contents? This isn't in email, but I'm thinking of some other context where sometimes you can view a document (even in its entirety) without downloading it. I'm not tech literate, so forgive the crude, potentially non-technical terms, but suppose you come across an file (say, a letter)...be it in email or elsewhere...and you can see it through a "reader." Would you be exposed to malware just by "reading" it that way w/o actually downloading it? Do you know what I'm talking about? This is pretty common......I've done it many times. You can read stuff w/o downloading.
 
  • #14
341
238
What is opening the document to preview it? If it's infected and it's being opened on your PC to preview it then yes your still susceptible, if it's opening remotely on a web server and that web server is just sending you a web page after it opens the document for you as it's end then your fine. It's very hard to know which way around it's actually being done though, all depends how it's programmed.
 
  • #15
241
195
What is opening the document to preview it? If it's infected and it's being opened on your PC to preview it then yes your still susceptible, if it's opening remotely on a web server and that web server is just sending you a web page after it opens the document for you as it's end then your fine. It's very hard to know which way around it's actually being done though, all depends how it's programmed.
Interesting/good distinction, MM. Thanks for the re:. In email, if I get an attachment from a trusted source, I click on it.

That clicking on it "opens it up" (if one can use that phrasing - again, I'm not a tech person here, so apologies for wording) and I can then view it without having downloaded the file. That example comes to mind for things I've done a lot. Literally just happened recently. Someone I knew sent me a document and I never DL'd it...just clicked to view. ...That was in my Gmail. Not sure how they do things.

It's also happened in non-email settings. This is the one I'm scared of and will post a separate thread about (as it's a long story and I may be the victim of fraud).
 
  • #16
341
238
If you opened it in gmail it's probably opened it at the server side so you should be safe.
 
  • #17
anorlunda
Staff Emeritus
Insights Author
9,601
6,681
In email, if I get an attachment from a trusted source, I click on it.
An that is the basis for another kind of danger called phishing. A phishing email disguises itself to appear as if it came from your trusted source.
 
  • Like
Likes jack action
  • #18
jack action
Science Advisor
Insights Author
Gold Member
2,173
3,574
Upload it ...on a webpage?...."Point" someone to it? Like, how? Tell them to go to that webpage?
Below you have an image. You are on this PF webpage and you see it, thus you downloaded it. It was read and if malware was present, it would have been executed.

But you could download it directly through this link, which doesn't go to a website, but points directly to the original image file, on the server where it is stored.

If you had a browser that doesn't render images, by clicking on the link, you would be prompted to save it somewhere on your computer (Same as 'Save Link As ...'). No harms done, you still haven't open it, even if you saved it on your computer. But if you have a browser that renders images (like most browsers), it will recognize that it is an image and renders it automatically. The image file was opened and read; if there was a hidden program, it would have been executed.

aerodynamic-forces.gif
As for downloads, what if you don't download the PDF file, but get like a preview/view of its contents?
If you selected to not show remote content, I doubt an email client would show previews of attached files.
 
  • #19
DaveC426913
Gold Member
19,771
3,020
E-mails these days are generally delivered in the html format, the same format as web pages. Pictures in the e-mail can be included as part of the e-mail itself, or they could be a link to a picture on external web server. You do not need to actually visit/browse that other site, merely the act of loading that image can trigger the malware install. That invisible pixel if loaded is enough to infect you.

This is why Outlook has the "do you want to load pictures" messages at the top of e-mails.

These "invisible" pixels are also used to place tracking cookies on your computer by advertisers when you visit web pages.

If you want to be 100% safe, your can set e-mails to only show as text instead of html. That though will be counter productive as most e-mail will just be gibberish code. The internet was a much safer place before the web was invented when everything was just text :)
Yes. My email defaults to not showing embedded images for just this reason.
You would do yourself good to find and enable this security feature.

However, it does not really rise to the level of dangerous malware. It gives them information about you (that you opened their email), and confirms they have a legit email address (that they could sell on), but it won't directly injure your computer.
 
  • #20
DaveC426913
Gold Member
19,771
3,020
In my case, I never clicked any links, nor made any downloads. Would that mean my computer is safe?
The simple (unqualified) answer is: you're safe.

Naturally, there are concerns that posters are bringing to your attention, and a scan for malware wouldn't hurt.

But I preview suspicious emails (inadvertently or advertently) all the time. It does not harm my system, and I don't do a scan each time.
 
  • #21
241
195
If you want to be 100% safe, your can set e-mails to only show as text instead of html. That though will be counter productive as most e-mail will just be gibberish code. The internet was a much safer place before the web was invented when everything was just text :)
Quick follow-up on this part. Would the "show only as text, instead of html" thing be the same as what Anorlunda is showing in Gmail in Post #12?

That's what I do in Gmail, but wasn't sure if that was the equivalent of what you're saying here. I browsed Gmail's settings and don't see a separate button for doing what you said (word for word)...so wondered if that was essentially what Anorlunda was showing (which, again, I do currently do). TY!
 
  • #22
241
195
Yes. My email defaults to not showing embedded images for just this reason.
Dave, I wanted to ask you the same question as above to, MM. Is this essentially what Anorlunda is doing in Post #12's picture?
 
  • #23
241
195
Below you have an image. You are on this PF webpage and you see it, thus you downloaded it. It was read and if malware was present, it would have been executed.


If you selected to not show remote content, I doubt an email client would show previews of attached files.
Hmmm. ...That sucks. Would PF not have something to sense a virus in the picture and not let it post? Lots of people on this forum post pics! :nb)

re: your last sentence, sorry if I may have been confusing...I meant in cases where I clicked on an attachment in Gmail and it showed me the image w/o downloading it. It can often be a "distant" image at first, but you can zoom in. But, in these cases, I did click the attachment first. I agree that it probably wouldn't just preview it for me w/o doing that. Off the top of my head, I can't remember that ever happening (i.e., I seem to always have had to click first).
 
  • #24
f95toli
Science Advisor
Gold Member
3,198
683
That would certainly help. You can insert a "picture" made of an invisible pixel, it's too small to be seen and yet can still be used to redirect to a bad web page. It's a common tactic for scammers.
Tracking pixels are also used by perfectly legitimate companies who use this to "track" if you've opened the e-mail. It is just part of their regular marketing and is in no way dangerous to your computer.
The way it works is that the image link is unique to the e-mail that was sent to you; meaning the server can detect if/when the image is downloaded; that way they can tell that the e-mail has been opened (and hopefully read).

AFAIK all professional e-mail systems use either tracking pixels/images to gather statistics about their marketing campaigns.
It can also be used by companies to check if important e-mails are actually being read, if e.g your bank notices that you never open e-mails from them despite having signed up to go "paperless" they might revert to sending you important messages by regular post.

Anyway, you might not like systems for "tracking", but in this context they are not inherently nefarious.

Generally speaking, modern e-mail clients are very safe and should never automatically do anything dangerous; it is only when YOU click on a link or open an unsafe attachment that things can get dangerous.

Also, most common formats are perfectly safe top view/preview: you can't "attach a virus" to a regular image file (or even a PDF).
 
  • #25
jack action
Science Advisor
Insights Author
Gold Member
2,173
3,574
Would the "show only as text, instead of html" thing be the same as what Anorlunda is showing in Gmail in Post #12?
No, 'show as text' will show the text version of the email (see post #11), if present. If not present, it will show the HTML version without removing the HTML tags, hence the 'gibberish code' @MikeeMiracle referred to.
Would PF not have something to sense a virus in the picture and not let it post?
I know PF doesn't link directly to the image on the original server; it rather saves a copy on the PF server. For example, the image you saw in my previous post is not the same as the one in the link:
Some websites don't just make a copy of the file, they actually built a new file, which effectively omits all the extra data where malware is usually hidden. @Greg Bernhardt could tell us if this is actually the case with PF.[1]

I meant in cases where I clicked on an attachment in Gmail and it showed me the image w/o downloading it.
If you can see the image, it was downloaded, opened, and read by a program. But the preview you see might be a new file, built from the original one, free of malware, as stated previously.



[1] Let's test the security on PF. There is a picture of a kitten with a hidden program found on this web page. Here's the beginning of the file as read by a text editor:
PHP:
ÿØÿàJFIF,,ÿþ,<?php $a = isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : "the command line"; $b = date("l");
$c = date("G") < 12 ? "morning" : (date("G") < 17 ? "afternoon" : (date("G") < 21 ? "evening" : "night"));
echo "--     Hello, friend from {$a}! A lovely $b $c, isn't it?"; __halt_compiler(); ÿÛC


        
%# , #&')*)-0-(0%()(ÿÛC



(((((((((((((((((((((((((((((((((((((((((((((((((((ÿÀ¡9"ÿÄÿÄI"2BRb!#1Aar3Qq¡¢±ÁÑðCS²ÂÒá$cñ4âò%DTÿÄÿÄ%"21!ABaQRbqÿÚ?öÅÒ)ÆhsqAÒ²ÝK Ü¿Õ\nH s+VíJfüò,u*}Â3åæUefºc?eGJ̤ eKj#"ý´ÚÇI Xo½Q¾ä0z*£bÈÂ(¢p0ÔSC#õt¦
QGÆBJîÌ#¤"« Di3îLr'(V¶ZhO*ìͼÊ53ÊÐop(äîÒ ðÙDd^t9Ewf!5i*¨aÁ¸N":ï>EâÅ:ËGTRÜF9( #%}ÆqIx6DaÞ$Õ³¼¥BÌ P¨¦dn ¸µ+¨Xt-IÔ
JÏȧ)ÛÝ]v¤à0Ø=åKÌÎreE $N÷S¦E(SFäAÎ;¶ò¢]+ÏK#<$è([G"QÈ2VâVT7|Z ¯y2¨-¥jȧ;¤¢ùAʧH$'ÝÒHdÔ¡ÌëòLDßetΣõfÜw®ºùªÈ"!Wd"0"FÄOÚ]lÖ©b!â[]¹Ñ¦C¥³)Eæ{ö©DÌEEÖËJ    ¸3å×ÚUÙ>ñ)LÔÓ°S2ÔHC`¦äÃ#r©äGbãbIeéR0j¬U
àc501ܸ«EYb6ÁAÖ$[CiZb7*e9@ÆÝDH³ÍãtJZJ "ÕiikTÎwÚ«dgCpÉSQ²ÑÉ£Ó+yÿ
/³XºËö*®Æi    í/×ÖTc¬dÔÒ)£'Ѧ©¨É&n
V¡j1FI!0ßàYÌC¤"ƵiGn°Ø8;yU;³JÏ³Ó ì²Å=ÂjÚvîm>ïÍLfîC@0äÂñ0"-IeEXÀò¡Ëë(ÐÕÈ
Âýu*àÄ¡n¤² [üfá]çñMTðå©X6»ÓÊ´7A,9ÈîE²$è]h¢PtEÓ    DIEèøØ´rCÅá;§ÔH.¨nþîé LFrºo6ôùFØä¥eâ@¿¡u;y°%S×EyAÒ&bKo¹IâУ%Ôq¨
²Ô;$Zgì©ÊK¢* |.VçÍTZ[t¢¶Ä#§º¢Í1OyY`9r¢; Aÿì¸òöêV&#¡IBw)ÚP½Ff;ÉA.:j¬Zb:UYjl©ó+ÚATFÔ««Æéæ+~þ¤&31BQRÓmß2IBÝN0yÕFcMµ¹Ä¾x¨¥í¾ñ]ßÁv]i·Ì[Q¬
KMrükª!ÝÒ§KÙZßÊÕåÜ+²Ä¯T¹¨}hýë%ÓQÊ02kàÈJå@.bvnâ)îêIðƣų*1²;ÝcøpàI?FëÙ®ÆZÃ2¦$á³Õäø¼+KÒdzºç,ê)|JÊ'ÄñGñlE±¾×àÄÛ¡¨Ê3ðÁÃü¡Â*.øÇ7îêÕù&Ô~
!/øxñöÒ¨ËN5¥Ví;S'íþYqZì'    §k¶;'
®¯/)f=R8e@34UÓ(púø¦}èá?VÎ-eݧW_ùúÉÍ/í×@ÅÂýz8&õúÄNÑËOÃÖ5´-ZÈEUàñdÉõ~U_)U¡qêNÍÁ~ÑÒ¼ðzãJèwÏÇú¤ÕËò«NZPq±u)ö),¸bC8ÎäPUò®aóÕ-ú¨s«"TîÆÑB¸ìÄÔÒrpuìî9.
öÌKÝH»ã¨w(!    ©Ò+ªØZUO6Ää½DäÕGHç:rnZ&qöKRía)«>Où

The gibberish stuff is the actual binary data for the image. But the readable stuff at the beginning is actually inserted PHP code which is a program used on servers.

I tried attaching this image to the present post, but PF tells me that "The uploaded image contains invalid content." and refuses to upload it.

PF has passed its security audit! 👏
 

Related Threads on Possible to Get Malware by Just Opening an Email?

  • Last Post
Replies
3
Views
1K
Replies
6
Views
2K
  • Last Post
Replies
22
Views
3K
Replies
37
Views
1K
  • Last Post
Replies
20
Views
4K
Replies
2
Views
244
  • Last Post
Replies
11
Views
1K
  • Last Post
Replies
4
Views
3K
Replies
2
Views
330
Replies
1
Views
2K
Top