A friend asked (paraphrased slightly), “Bob, here's a serious question. What would you gauge danger-wise on malware attacks based on potentially malicious websites one might be fooled to click on? I ask because I've had people ask me about getting spam emails saying that they’re compromised due to visiting a website, even if they have an antivirus product or Internet security suite installed. It sounds like a standard social engineering/ransomware scam...but with all the zero-day exploits in the news, it makes one wonder.”
MY ANSWER
That’s a great question, thanks for asking! First, I know from your technical background that you understand these things, but I’m going to start with a vocabulary section for the sake of others who might read this. Then I’ll get to the answer.
Zero-day vulnerability – This is a vulnerability that has just been discovered. The cybercriminal may publish information about the vulnerability to other criminals, but the software manufacturer has had no time to write corrected code.
Exploit – An exploit is when a cybercriminal takes action on a vulnerability. Vulnerabilities can exist without being exploited. This is more common than you might think, because some vulnerabilities depend on a complex set of pre-existing conditions that aren’t easy for the cybercriminal to reproduce.
Zero-day exploit – A zero-day exploit is an action against a zero-day vulnerability.
Known Exploited Vulnerabilities (KEVs) – The Known Exploited Vulnerabilities Catalog is maintained and published by CISA. I’m not going to put the link here. You can find it with any search engine.
Common Vulnerabilities and Exposures (CVEs) – The CVE List contains all known vulnerabilities (strictly speaking, but we’ll ignore the exceptions). This list is longer than the KEV Catalog. The definitive CVE List is at cve(dot)org.
Now that the vocabulary lesson is out of the way, we’ll get to the answer you were asking for.
1) Zero-day vulnerabilities do exist. Some zero-day exploits can be stopped by antimalware solutions, if the exploit is behavior-based, pattern-based, or otherwise recognizable. But, most of the time, zero-day exploits slide right through the defenses.
2) The spammer does not – indeed, cannot – know if your computer has been compromised. The only person who knows is the actual cybercriminal who ran the exploit.
3) The cybercriminal who ran the exploit usually doesn’t want you to know your machine has been compromised. They won’t send you an email!
4) In the case of ransomware, the cybercriminal’s message usually (always?) appears on screen. It’s not an email.
5) Summary: Yes, your computer can be infected without your antimalware product detecting it. But the cybercriminal is unlikely to email you. The email “informing” you of malware is almost certainly a social engineering attack, unrelated to anything.
#CallMeIfYouNeedMe #FIFONetworks
#AskBob
Bob Young /
npub1d5…9eu62
2025-02-27 16:44:23
Author Public Key
npub1d5mcrhz7v8ykwwc4sld0j5xdn4q8wrdt94ezewrmrpjmctxgzdwsw9eu62Published at
2025-02-27 16:44:23Event JSON
{
"id": "2c83dba3fdfa362735a30a77bb5b2e2e44fe5072c940562900ec56cefa88a71c",
"pubkey": "6d3781dc5e61c9673b1587daf950cd9d40770dab2d722cb87b1865bc2cc8135d",
"created_at": 1740674663,
"kind": 1,
"tags": [
[
"t",
"callmeifyouneedme"
],
[
"t",
"fifonetworks"
],
[
"t",
"askbob"
],
[
"proxy",
"https://infosec.exchange/users/fifonetworks/statuses/114076854751387137",
"activitypub"
]
],
"content": "A friend asked (paraphrased slightly), “Bob, here's a serious question. What would you gauge danger-wise on malware attacks based on potentially malicious websites one might be fooled to click on? I ask because I've had people ask me about getting spam emails saying that they’re compromised due to visiting a website, even if they have an antivirus product or Internet security suite installed. It sounds like a standard social engineering/ransomware scam...but with all the zero-day exploits in the news, it makes one wonder.”\n\nMY ANSWER\nThat’s a great question, thanks for asking! First, I know from your technical background that you understand these things, but I’m going to start with a vocabulary section for the sake of others who might read this. Then I’ll get to the answer.\n\nZero-day vulnerability – This is a vulnerability that has just been discovered. The cybercriminal may publish information about the vulnerability to other criminals, but the software manufacturer has had no time to write corrected code.\n\nExploit – An exploit is when a cybercriminal takes action on a vulnerability. Vulnerabilities can exist without being exploited. This is more common than you might think, because some vulnerabilities depend on a complex set of pre-existing conditions that aren’t easy for the cybercriminal to reproduce. \n\nZero-day exploit – A zero-day exploit is an action against a zero-day vulnerability.\n\nKnown Exploited Vulnerabilities (KEVs) – The Known Exploited Vulnerabilities Catalog is maintained and published by CISA. I’m not going to put the link here. You can find it with any search engine.\n\nCommon Vulnerabilities and Exposures (CVEs) – The CVE List contains all known vulnerabilities (strictly speaking, but we’ll ignore the exceptions). This list is longer than the KEV Catalog. The definitive CVE List is at cve(dot)org.\n\nNow that the vocabulary lesson is out of the way, we’ll get to the answer you were asking for.\n\n1) Zero-day vulnerabilities do exist. Some zero-day exploits can be stopped by antimalware solutions, if the exploit is behavior-based, pattern-based, or otherwise recognizable. But, most of the time, zero-day exploits slide right through the defenses.\n\n2) The spammer does not – indeed, cannot – know if your computer has been compromised. The only person who knows is the actual cybercriminal who ran the exploit.\n\n3) The cybercriminal who ran the exploit usually doesn’t want you to know your machine has been compromised. They won’t send you an email!\n\n4) In the case of ransomware, the cybercriminal’s message usually (always?) appears on screen. It’s not an email.\n\n5) Summary: Yes, your computer can be infected without your antimalware product detecting it. But the cybercriminal is unlikely to email you. The email “informing” you of malware is almost certainly a social engineering attack, unrelated to anything.\n\n#CallMeIfYouNeedMe #FIFONetworks\n\n#AskBob",
"sig": "fd96644c0af426a223de328cf4130d313b75d485112e400a04b7d0207dba3c87299d0e8d6189f377da0dba1dd1aaeae0f7ddc0c8dbeaf2ed060ff3a1bdb857b1"
}