Possible to Get Malware by Just Opening an Email?

[kyphysics]

I've been getting emails from an "hq@bill.com" address that have looked suspicious. The titles usually say something like: "Invoice prepared for you and will become payment."

Usually, I just delete them. Today, my mouse/hand slipped and I accidentally hovered over and clicked onto that email. Once inside, I saw that it said that an invoice and bill payment were prepared for me and would be sent out and processed. There were links in the email to see for myself.

I never clicked on any links, nor downloaded anything. I only opened the email (by accident). Afterwards, I marked as spam and deleted the email. I Googled the sender and apparently some Google searches returned that this was possibly a known scammer that will download malware to your computer if you go to the links they send.

In my case, I never clicked any links, nor made any downloads. Would that mean my computer is safe? Thanks for your help.

 

[mathman]

Probably safe, but you should run malware and virus checks.

 

[Wrichik Basu]

Would that mean my computer is safe?

Most probably yes.

Most email clients have an option "Mark as spam". If you mark this email as spam, then further emails from that address will automatically land up in your spam box, and you won't be opening them even accidentally in the future.

 

[kyphysics]

Probably safe, but you should run malware and virus checks.

Ran my Avast scan and it said I was malware free.

However, a few hours AFTER that, I started getting concerning Avast messages, which I talk about here: https://www.physicsforums.com/threads/my-avast-premium-security-gives-me-this-scary-message.1003696/

Running a new scan...but these take hours on my computer for some reason. ...so slow...!

 

[Wrichik Basu]

Running a new scan...but these take hours on my computer for some reason. ...so slow...!

A full system scan will take hours. This is normal.

 

[MikeeMiracle]

It's possible if the e-mail had embedded pictures which are actually links to an external site, it's best to just not open the e-mail at all.

 

[kyphysics]

It's possible if the e-mail had embedded pictures which are actually links to an external site, it's best to just not open the e-mail at all.

In Gmail (and all email accounts), I always set my display to not showing pictures/images without my permission.

I had really bad malware in the past and on a separate forum of computer science/programming experts, people said you should change your email image settings to not load them by default. Would that have avoided any issues here if there were what you called "embedded pictures" in my mail?

 

[MikeeMiracle]

That would certainly help. You can insert a "picture" made of an invisible pixel, it's too small to be seen and yet can still be used to redirect to a bad web page. It's a common tactic for scammers.

 

[kyphysics]

That would certainly help. You can insert a "picture" made of an invisible pixel, it's too small to be seen and yet can still be used to redirect to a bad web page. It's a common tactic for scammers.

Sounds scary. But, let me ask this then. Suppose someone placed such an "invisible pixel" picture into that email I opened by accident. And suppose my don't display images setting didn't weed it out.

You're saying the image/pixel would still "load" ...but would it do anything from there if:

a.) I didn't click on it (although, I guess I wouldn't easily know if it's so small/invisible).
b.) I didn't see my webpage transition from the email to another page (I don't believe it did from my memory of things - I think I just deleted the email immediately).

Would you have to literally see your page go to that "bad web page" before anything bad would happen with these invisible pixel pictures?

 

[MikeeMiracle]

E-mails these days are generally delivered in the html format, the same format as web pages. Pictures in the e-mail can be included as part of the e-mail itself, or they could be a link to a picture on external web server. You do not need to actually visit/browse that other site, merely the act of loading that image can trigger the malware install. That invisible pixel if loaded is enough to infect you.

This is why Outlook has the "do you want to load pictures" messages at the top of e-mails.

These "invisible" pixels are also used to place tracking cookies on your computer by advertisers when you visit web pages.

If you want to be 100% safe, your can set e-mails to only show as text instead of html. That though will be counter productive as most e-mail will just be gibberish code. The internet was a much safer place before the web was invented when everything was just text :)

 

[jack action]

An email is basically a harmless text file divided into 4 sections (select 'View source' to see the text file):

1. Headers
2. Text version (Content-Type: text/plain)
3. HTML version (Content-Type: text/html)
4. Attachments (Content-Disposition: attachment)

From the email client's point of view, the headers should be pretty harmless, other than sending bad information (wrong date, wrong sender, etc.).

The text version of the email is also harmless, as any email client takes it as pure text. It may not be present though.

The HTML version, if present, is also harmless IF you do not allow remote content to be fetched. The email client will use the HTML for formatting but won't download anything from given sources (for example, images). The links will be clickable, but you are on your own if you click on them (It is the same thing as if you copied the linked address and pasted it into your browser). By clicking on them, the worst that can happen is most likely that they will know you clicked on them (by inserting a unique ID identifying your email in the query). But it can be worst (see stegosploit below).

The attachments are also harmless from the email client's point of view (just binary data, presented as text). But if you click on them the email client will send the data to the appropriate program (a PDF reader, for example) that will open them automatically. And that is when the problems can happen. The 'bad stuff' is done with this external program.

Would you have to literally see your page go to that "bad web page" before anything bad would happen with these invisible pixel pictures?

Just to scare you a little bit more, look for stegosploit:

"I don't need to host a blog, I don't need to host a website at all. I don't even need to register a domain," Shah told Motherboard during the demo last week. "I can take an image, upload it somewhere and if I just point you toward that image, and you load this image in a browser, it will detonate."

 

[anorlunda]

Below, you see the setting in Google's gmail.

 

[kyphysics]

The attachments are also harmless from the email client's point of view (just binary data, presented as text). But if you click on them the email client will send the data to the appropriate program (a PDF reader, for example) that will open them automatically. And that is when the problems can happen. The 'bad stuff' is done with this external program.Just to scare you a little bit more, look for stegosploit:

Thanks for the re:, JA. That's an interesting email breakdown!

By the way, I'm not 100% sure I understand what a stegosploit is. . .In the quote it says he can just upload it "anywhere" and then point someone to it. Like, what does that mean? Upload it ...on a webpage?..."Point" someone to it? Like, how? Tell them to go to that webpage?

As for downloads, what if you don't download the PDF file, but get like a preview/view of its contents? This isn't in email, but I'm thinking of some other context where sometimes you can view a document (even in its entirety) without downloading it. I'm not tech literate, so forgive the crude, potentially non-technical terms, but suppose you come across an file (say, a letter)...be it in email or elsewhere...and you can see it through a "reader." Would you be exposed to malware just by "reading" it that way w/o actually downloading it? Do you know what I'm talking about? This is pretty common...I've done it many times. You can read stuff w/o downloading.

 

[MikeeMiracle]

What is opening the document to preview it? If it's infected and it's being opened on your PC to preview it then yes your still susceptible, if it's opening remotely on a web server and that web server is just sending you a web page after it opens the document for you as it's end then your fine. It's very hard to know which way around it's actually being done though, all depends how it's programmed.

 

[kyphysics]

What is opening the document to preview it? If it's infected and it's being opened on your PC to preview it then yes your still susceptible, if it's opening remotely on a web server and that web server is just sending you a web page after it opens the document for you as it's end then your fine. It's very hard to know which way around it's actually being done though, all depends how it's programmed.

Interesting/good distinction, MM. Thanks for the re:. In email, if I get an attachment from a trusted source, I click on it.

That clicking on it "opens it up" (if one can use that phrasing - again, I'm not a tech person here, so apologies for wording) and I can then view it without having downloaded the file. That example comes to mind for things I've done a lot. Literally just happened recently. Someone I knew sent me a document and I never DL'd it...just clicked to view. ...That was in my Gmail. Not sure how they do things.

It's also happened in non-email settings. This is the one I'm scared of and will post a separate thread about (as it's a long story and I may be the victim of fraud).

 

[MikeeMiracle]

If you opened it in gmail it's probably opened it at the server side so you should be safe.

 

[anorlunda]

In email, if I get an attachment from a trusted source, I click on it.

An that is the basis for another kind of danger called phishing. A phishing email disguises itself to appear as if it came from your trusted source.

 

[jack action]

Upload it ...on a webpage?..."Point" someone to it? Like, how? Tell them to go to that webpage?

Below you have an image. You are on this PF webpage and you see it, thus you downloaded it. It was read and if malware was present, it would have been executed.

But you could download it directly through this link, which doesn't go to a website, but points directly to the original image file, on the server where it is stored.

If you had a browser that doesn't render images, by clicking on the link, you would be prompted to save it somewhere on your computer (Same as 'Save Link As ...'). No harms done, you still haven't open it, even if you saved it on your computer. But if you have a browser that renders images (like most browsers), it will recognize that it is an image and renders it automatically. The image file was opened and read; if there was a hidden program, it would have been executed.

As for downloads, what if you don't download the PDF file, but get like a preview/view of its contents?

If you selected to not show remote content, I doubt an email client would show previews of attached files.

 

[DaveC426913]

E-mails these days are generally delivered in the html format, the same format as web pages. Pictures in the e-mail can be included as part of the e-mail itself, or they could be a link to a picture on external web server. You do not need to actually visit/browse that other site, merely the act of loading that image can trigger the malware install. That invisible pixel if loaded is enough to infect you.

This is why Outlook has the "do you want to load pictures" messages at the top of e-mails.

These "invisible" pixels are also used to place tracking cookies on your computer by advertisers when you visit web pages.

If you want to be 100% safe, your can set e-mails to only show as text instead of html. That though will be counter productive as most e-mail will just be gibberish code. The internet was a much safer place before the web was invented when everything was just text :)

Yes. My email defaults to not showing embedded images for just this reason.
You would do yourself good to find and enable this security feature.

However, it does not really rise to the level of dangerous malware. It gives them information about you (that you opened their email), and confirms they have a legit email address (that they could sell on), but it won't directly injure your computer.

 

[DaveC426913]

In my case, I never clicked any links, nor made any downloads. Would that mean my computer is safe?

The simple (unqualified) answer is: you're safe.

Naturally, there are concerns that posters are bringing to your attention, and a scan for malware wouldn't hurt.

But I preview suspicious emails (inadvertently or advertently) all the time. It does not harm my system, and I don't do a scan each time.

 

[kyphysics]

If you want to be 100% safe, your can set e-mails to only show as text instead of html. That though will be counter productive as most e-mail will just be gibberish code. The internet was a much safer place before the web was invented when everything was just text :)

Quick follow-up on this part. Would the "show only as text, instead of html" thing be the same as what Anorlunda is showing in Gmail in Post #12?

That's what I do in Gmail, but wasn't sure if that was the equivalent of what you're saying here. I browsed Gmail's settings and don't see a separate button for doing what you said (word for word)...so wondered if that was essentially what Anorlunda was showing (which, again, I do currently do). TY!

 

[kyphysics]

Yes. My email defaults to not showing embedded images for just this reason.

Dave, I wanted to ask you the same question as above to, MM. Is this essentially what Anorlunda is doing in Post #12's picture?

 

[kyphysics]

Below you have an image. You are on this PF webpage and you see it, thus you downloaded it. It was read and if malware was present, it would have been executed.

View attachment 284164​

If you selected to not show remote content, I doubt an email client would show previews of attached files.

Hmmm. ...That sucks. Would PF not have something to sense a virus in the picture and not let it post? Lots of people on this forum post pics!

re: your last sentence, sorry if I may have been confusing...I meant in cases where I clicked on an attachment in Gmail and it showed me the image w/o downloading it. It can often be a "distant" image at first, but you can zoom in. But, in these cases, I did click the attachment first. I agree that it probably wouldn't just preview it for me w/o doing that. Off the top of my head, I can't remember that ever happening (i.e., I seem to always have had to click first).

 

[f95toli]

That would certainly help. You can insert a "picture" made of an invisible pixel, it's too small to be seen and yet can still be used to redirect to a bad web page. It's a common tactic for scammers.

Tracking pixels are also used by perfectly legitimate companies who use this to "track" if you've opened the e-mail. It is just part of their regular marketing and is in no way dangerous to your computer.
The way it works is that the image link is unique to the e-mail that was sent to you; meaning the server can detect if/when the image is downloaded; that way they can tell that the e-mail has been opened (and hopefully read).

AFAIK all professional e-mail systems use either tracking pixels/images to gather statistics about their marketing campaigns.
It can also be used by companies to check if important e-mails are actually being read, if e.g your bank notices that you never open e-mails from them despite having signed up to go "paperless" they might revert to sending you important messages by regular post.

Anyway, you might not like systems for "tracking", but in this context they are not inherently nefarious.

Generally speaking, modern e-mail clients are very safe and should never automatically do anything dangerous; it is only when YOU click on a link or open an unsafe attachment that things can get dangerous.

Also, most common formats are perfectly safe top view/preview: you can't "attach a virus" to a regular image file (or even a PDF).

 

[jack action]

Would the "show only as text, instead of html" thing be the same as what Anorlunda is showing in Gmail in Post #12?

No, 'show as text' will show the text version of the email (see post #11), if present. If not present, it will show the HTML version without removing the HTML tags, hence the 'gibberish code' @MikeeMiracle referred to.

Would PF not have something to sense a virus in the picture and not let it post?

I know PF doesn't link directly to the image on the original server; it rather saves a copy on the PF server. For example, the image you saw in my previous post is not the same as the one in the link:

• The link address: http://hpwizard.com/images/aerodynamic-forces.gif
• The PF image address: https://www.physicsforums.com/attachments/aerodynamic-forces-gif.284164/

Some websites don't just make a copy of the file, they actually built a new file, which effectively omits all the extra data where malware is usually hidden. @Greg Bernhardt could tell us if this is actually the case with PF.^[1]

I meant in cases where I clicked on an attachment in Gmail and it showed me the image w/o downloading it.

If you can see the image, it was downloaded, opened, and read by a program. But the preview you see might be a new file, built from the original one, free of malware, as stated previously.

---

^[1] Let's test the security on PF. There is a picture of a kitten with a hidden program found on this web page. Here's the beginning of the file as read by a text editor:

ÿØÿàJFIF,,ÿþ,<?php $a = isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : "the command line"; $b = date("l");
$c = date("G") < 12 ? "morning" : (date("G") < 17 ? "afternoon" : (date("G") < 21 ? "evening" : "night"));
echo "--     Hello, friend from {$a}! A lovely $b $c, isn't it?"; __halt_compiler(); ÿÛC        
%# , #&')*)-0-(0%()(ÿÛC
(((((((((((((((((((((((((((((((((((((((((((((((((((ÿÀ¡9"ÿÄÿÄI"2BRb!#1Aar3Qq¡¢±ÁÑðCS²ÂÒá$cñ4âò%DTÿÄÿÄ%"21!ABaQRbqÿÚ?öÅÒ)ÆhsqAÒ²ÝK Ü¿Õ\nH s+VíJfüò,u*}Â3åæUefºc?eGJ̤ eKj#"ý´ÚÇI Xo½Q¾ä0z*£bÈÂ(¢p0ÔSC#õt¦
QGÆBJîÌ#¤"« Di3îLr'(V¶ZhO*ìͼÊ53ÊÐop(äîÒ ðÙDd^t9Ewf!5i*¨aÁ¸N":ï>EâÅ:ËGTRÜF9( #%}ÆqIx6DaÞ$Õ³¼¥BÌ P¨¦dn ¸µ+¨Xt-IÔ
JÏȧ)ÛÝ]v¤à0Ø=åKÌÎreE $N÷S¦E(SFäAÎ;¶ò¢]+ÏK#<$è([G"QÈ2VâVT7|Z ¯y2¨-¥jȧ;¤¢ùAʧH$'ÝÒHdÔ¡ÌëòLDßetΣõfÜw®ºùªÈ"!Wd"0"FÄOÚ]lÖ©b!â[]¹Ñ¦C¥³)Eæ{ö©DÌEEÖËJ    ¸3å×ÚUÙ>ñ)LÔÓ°S2ÔHC`¦äÃ#r©äGbãbIeéR0j¬U
àc501ܸ«EYb6ÁAÖ$[CiZb7*e9@ÆÝDH³ÍãtJZJ "ÕiikTÎwÚ«dgCpÉSQ²ÑÉ£Ó+yÿ
/³XºËö*®Æi    í/×ÖTc¬dÔÒ)£'Ѧ©¨É&n
V¡j1FI!0ßàYÌC¤"ƵiGn°Ø8;yU;³JÏ³Ó ì²Å=ÂjÚvîm>ïÍLfîC@0äÂñ0"-IeEXÀò¡Ëë(ÐÕÈ
Âýu*àÄ¡n¤² [üfá]çñMTðå©X6»ÓÊ´7A,9ÈîE²$è]h¢PtEÓ    DIEèøØ´rCÅá;§ÔH.¨nþîé LFrºo6ôùFØä¥eâ@¿¡u;y°%S×EyAÒ&bKo¹IâУ%Ôq¨
²Ô;$Zgì©ÊK¢* |.VçÍTZ[t¢¶Ä#§º¢Í1OyY`9r¢; Aÿì¸òöêV&#¡IBw)ÚP½Ff;ÉA.:j¬Zb:UYjl©ó+ÚATFÔ««Æéæ+~þ¤&31BQRÓmß2IBÝN0yÕFcMµ¹Ä¾x¨¥í¾ñ]ßÁv]i·Ì[Q¬
KMrükª!ÝÒ§KÙZßÊÕåÜ+²Ä¯T¹¨}hýë%ÓQÊ02kàÈJå@.bvnâ)îêIðƣų*1²;ÝcøpàI?FëÙ®ÆZÃ2¦$á³Õäø¼+KÒdzºç,ê)|JÊ'ÄñGñlE±¾×àÄÛ¡¨Ê3ðÁÃü¡Â*.øÇ7îêÕù&Ô~
!/øxñöÒ¨ËN5¥Ví;S'íþYqZì'    §k¶;'
®¯/)f=R8e@34UÓ(púø¦}èá?VÎ-eݧW_ùúÉÍ/í×@ÅÂýz8&õúÄNÑËOÃÖ5´-ZÈEUàñdÉõ~U_)U¡qêNÍÁ~ÑÒ¼ðzãJèwÏÇú¤ÕËò«NZPq±u)ö),¸bC8ÎäPUò®aóÕ-ú¨s«"TîÆÑB¸ìÄÔÒrpuìî9.
öÌKÝH»ã¨w(!    ©Ò+ªØZUO6Ää½DäÕGHç:rnZ&qöKRía)«>Où

The gibberish stuff is the actual binary data for the image. But the readable stuff at the beginning is actually inserted PHP code which is a program used on servers.

I tried attaching this image to the present post, but PF tells me that "The uploaded image contains invalid content." and refuses to upload it.

PF has passed its security audit!

 

[pbuk]

There's quite a lot of misinformation in this thread, I'm not going to pick up on all of it but in summary:

• Turn on the 'do not display images' option in your email client. This is not because images are potentially dangerous in themselves (with some exceptions - see below), but because they notify a potential bad actor that someone reads the emails that are being sent to your address.
• Neither gmail nor any other properly maintained email client or web browser has been vulnerable to malware contained within an image file (again see below), or a file purporting to be an image file, for at least 10 years.
• By contrast, both Adobe PDF Reader and embedded readers in browsers and email clients have contained vulnerabilities: here's the notice from Adobe's latest security patch last month. Never download any attachment including a PDF that you are not sure is genuine.
• The malware in #25 attempts to attack a server: the fact that PF has prevented uploading this file bears no relation to whether PF would prevent uploading a file with a client-oriented attack (although see below)
• SVG image files can contain JavaScript and are therefore potentially vulnerable: this is the exception I mentioned above. This is why you cannot upload SVG images to PF, or view them when using the GMail browser client.

 

[jack action]

• Turn on the 'do not display images' option in your email client. This is not because images are potentially dangerous in themselves (with some exceptions - see below), but because they notify a potential bad actor that someone reads the emails that are being sent to your address.
• Neither gmail nor any other properly maintained email client or web browser has been vulnerable to malware contained within an image file (again see below), or a file purporting to be an image file, for at least 10 years.

My email client (Thunderbird) is set to 'do not allow remote content', which is semantically different from 'do not show images'. I knew that it would apply to more than images (i.e. anything with a website address as a source), but while reading your comment, I was wondering if it would show images whose source is the actual image data (encoded as base64). With a simple test, yes, my email client does show images that are NOT remote content.

 

[Stephen Tashi]

According to this article

From: https://en.wikipedia.org/wiki/Web_beacon

However, since beacons can be embedded in email as non-pictorial elements, the email need not contain an image or advertisement, or anything else related to the identity of the monitoring party. This makes the detection of such emails difficult.[8]

One way to neutralize such email tracking is to disconnect from the Internet after downloading email but before reading the downloaded messages. (Note that this assumes one is using an email reader that resides on one's own computer and downloads the emails from the email server to one's own computer.) In that case, messages containing beacons will not be able to trigger requests to the beacons' host servers, and the tracking will be prevented. But one would then have to delete any messages suspected of containing beacons or risk having the beacons activate again once the computer is reconnected to the Internet.

I wonder if that information about email tracking also has implications for email malware. It suggests that configuring an email program not to download images may not prevent the program from downloading other things.

 

[MikeeMiracle]

Ultimately there is always some level of risk. The only way to avoid it is not to use the internet which is impracticable in this day an age.

If you don't want the possibility of your e-mails downloading anything at all then you can configure your e-mail client to only display messages as plain text. The problem with this approach is not many e-mails are just text these days, they are normally a basic web page and if you only allow e-mails in plain text, most e-mail you receive will just show as a bunch of code.

 

[pbuk]

According to this article
...
I wonder if that information about email tracking also has implications for email malware. It suggests that configuring an email program not to download images may not prevent the program from downloading other things.

The phrase 'non pictorial elements' is misleading; it is referring to image files that are 1 pixel trasparent images, so not actually 'pictures' in the normal sense. There is no email reader publicly available that downloads anything other than images (and most modern email readers don't display images by default).

The problem with this approach is not many e-mails are just text these days, they are normally a basic web page and if you only allow e-mails in plain text, most e-mail you receive will just show as a bunch of code.

The email standard requires a plain text version of an email to be sent as well as HTML and any legitimate sender of email will respect this: the absence of a text/plain section in a MIME email is a strong spam indicator that will land the message straight in the junk box.

 

[Stephen Tashi]

From an earlier paragraph in the article:

This basic technique has been developed further so that many types of elements can be used as beacons. Currently, these can include visible elements such as graphics, banners, or buttons, but also non-pictorial HTML elements such as the frame, style, script, input link, embed, object, etc., of an email or web page.

 

[pbuk]

That is correct for a web page, but not for an email (well it may have been about 20 years ago when HTML emails were first a thing, but certainly not 'currently').

 

[anorlunda]

It should be mentioned that email clients are not alike. I use gmail. The privacy of gmail sucks. But gmail does an excellent job of filtering out spam and malware mails.

Only 3 or 4 times per year does a suspicious mail make it through to my inbox.