This is a myth: "Just be smart and you are safe from malware"

[struppigel]

This statement bothers me on several levels.

1. It is not true. There are infection vectors you cannot prevent at all.
E.g. supply chain attack --> your favorite trusted software receives an update --> your system is screwed

2. It is presumptuous and arrogant
People who say this are interested in tech and they assume everyone who does not have their knowledge level is stupid.
You cannot expect everyone to be into IT.
Nor does it have to do anything with being smart or stupid.

3. How do they know?
Most malware does not show signs of infection. How do people actually know their systems never got infected?
People who think they can outsmart malware, are often not using an AV that could alert them either.

4. Experts fall into traps
While knowledge about malware can reduce the likelyhood for certain infection vectors to succeed, it is still no 100% protection.
Every single person, no matter how much of an IT expert they are, can be tricked. How do I know? Our company conducted phishing tests.
We are all human and we fail sometimes.

 

[ForgottenSeer 97327]

Agree, completely. I have one experience which amazed me and (nearly) tricked me into entering my bank account and password.

1. I got an e- mail that I needed to confirm my details to get a new bank card

Because I had requested a new bank card (my contactless payment chip did not work any more) and the email looked authentic (it had my bank's e-mail sender address and was formated using my bank's corporate identity, colors, logo and layout) I clicked on the link. At that time to do payments, I needed that chip for an offline two factor authentication passkey calculator which generated a code which I had to enter to confirm a payment. Before my bank provided its users with a mobile app, it was still possible to login to your bank account with bank number and password for auto service (like requesting a new bank card) and secure communication with my bank.

2. When I clicked on the link, I was directed to a HTTP website which seemed like an exact copy of my bank's website.

When I was entering my bank account number, I noticed the padlock was missing (not a HTTPS website). Agitated I stopped entering my details (a confirmation screen) and made a print screen. With a sarcastic remark (regarding the fact it was a HTTP website) I send this screenprint to the general email address of my bank and continue working (at home). I did not enter my details, only the first half of my bank account number.

3. Two hours later (well after 18.00 hour) I was called by my wife (who was a bit angry) telling me our bank account was blocked (and se could not pay gasoline on a tankstation along the highway).

Luckily the tank stations have a fall back process to deal with that sort of situations, so my wife could get home. The next day I called my bank (as soon as they opened during office hours) and ask them why they had blocked our account. I got a service manager telling me they were afraid I had entered my details, because it was possible to change my e-mail address with the password only access to the website (and that were in the process of moving that functionality to more secure, two factor authentication).

 

[roger_m]

Some thoughts on this. I believe that is usually very hard to get infected if you keep Windows and vulnerable software updated and are always careful about what files you open. I base that on years of experience. An important point to make, is that I have never said that doing so will prevent infections, just that it will significantly reduce the likelihood of getting infected. On my own computers, the only times that I've got infected is when I've manually opened infected files and I've never got infected just from browsing the web. I make no effort to only visit known and trusted websites. But on an unpatched work computer, I once got infected just from visiting a compromised website.

In my opinion, I think it's much more important to be careful about what files you open, rather than obsessing about finding the best possible security solution.

I would never think that anyone is stupid for having less knowledge than me or for getting infected. I can understand why it's easy for many users to get infected, as they believe that their antivirus is going to keep them protected. For example, if someone opens an infected email attachment which contains ransomware, they are probably going to blame their antivirus for not protecting them, rather than stopping to think that if they hadn't open that file they wouldn't have got infected. Once again, I would never call anyone stupid for that.

Every time one my computers has been infected, I've discovered the infection. It's certainly very possible that a PC can infected and it goes undetected by their antivirus. It's also possible (although less likely) that second opinion scanners will fail to detect the infection too, even if multiple scanners are used. However, surely in time that infection will be detected. I typically go for years between doing clean installs. Surely if I was to get infected, even in the infection was not detected right away, it would get detected eventually.

 

[upnorth]

Every single person, no matter how much of an IT expert they are, can be tricked. How do I know? Our company conducted phishing tests.
We are all human and we fail sometimes.

Agree and I do know that company tests can be specific created for a vendor/brand with pages/sites/links that is common seen and used in their environment. Makes it more tricky, but also more realistic. It's highly recommended and something well worth in education, but it should be done more then once as for example phishing has evolved extremely much.

Spoiler: example

Cyberattackers Spoof Google Translate in Unique Phishing Tactic

Attackers are spoofing Google Translate in an ongoing phishing campaign that uses a common JavaScript coding technique to bypass email security scanners. Leveraging trust in Google Translate is a never-before-seen approach, researchers said. Researchers from Avanan, a Check Point Software...

malwaretips.com

Here's a generic test that can help show some of the issues with phishing :

Take Jigsaw's Phishing Quiz

Can you spot when you're being phished?

phishingquiz.withgoogle.com

Many people, even hardcore security geeks/nerds also ignore or forget the problem with phones. It's a huge difference being able to catch or prevent an attack on a phone compered with a PC/Mac. Phones are even for professionals re-searchers/analysts extra hard to catch a suspicious complete url, simply because the small screen on a phone. Try hover a link on a phone and be able know where it leads and if one can trust it. It's many times a major pain and very easy by accident click it. When attackers is able to abuse 100% legit services/platforms and infiltrate software/apps that works as intended, but suddenly later becomes malicious, it's not the fault of common users.

Spoiler

Legit Android apps Poisoned by sticky 'Zombinder' Malware

Threat researchers have discovered an obfuscation platform that attaches malware to legitimate Android applications to lure users to install the malicious payload and make it difficult for security tools to detect. Analysts with cybersecurity vendor ThreatFabric found the platform, named...

malwaretips.com

Smart, is always the main responsibility of the developer, but even they are people and doing it easy with lazy copy/paste and take shortcuts that easier creates bugs/vulnerabilities.

 

[Ink]

Spot on!

Phishing scams require no malware, a simple (or sophisticated) social engineering trick to bypass account security to gain full access.

 

[Andy Ful]

The statement "Just be smart and you are safe from malware."
is as true as the statement
"You are safe on the road if you are a racing driver."

But it is true that if one is security oriented and careful, then the chances of infection can significantly decrease. This is probably just as important as adding more security layers.

There is no evidence that being smart is an advantage in security matters, because many smart people overestimate their abilities and become less careful.

 

[poopdookie]

This resonates with me. I had an awful manager years ago who had gotten the first MacOS virus that I had ever heard of at the time. They insisted it couldn't be a virus because all they did was shop/web browse. They let this persist for a week or two. I laughed because every time I walked by their office, weird music was playing from the machine, until they gave up and asked me to look at it.

 

[SpiderWeb]

Malware like Pegasus makes me realize that absolutely nobody is safe no matter how great your security setup is. But, I think built-in anti-malware in operating systems has come a far way where the first statement holds true.

 

[BoraMurdar]

Being smart is relative...

 

[Zero Knowledge]

The problem these days is that the attackers are well-funded, well-resourced and very professional. Back in the day all you had to worry about the hacker in his basement (Kevin Mitnick) and they were driven by curiosity, adventure and getting a few laughs. Not sure if you are old enough but the internet back in the early/mid/late nineties was a very different landscape which has now evolved into some unrecognizable monster.

There now so many people out there in the industry writing and deploying exploits that it's basically game over. It's no longer the realm of criminals and black hats or security nerds and white hat hackers. Now it's professional hackers (white and black), nation states with hacking crews and surveillance capabilities, criminal groups and hacking tool sellers, and then there are hacking for hire and exploit development and buying companies.

It's the most dangerous time I've seen in 30 years, every app you download, website you visit, security update you download, or every OS update you have to think "Did I just get owned?". I'm not sure even a layered security approach helps these days, it feels like we have lost the battle and the war.

I'm not sure how it ends but it doesn't look positive.

 

[Malleable]

The statement "Just be smart and you are safe from malware."
is as true as the statement
"You are safe on the road if you are a racing driver."

But it is true that if one is security oriented and careful, then the chances of infection can significantly decrease. This is probably just as important as adding more security layers.

There is no evidence that being smart is an advantage in security matters, because many smart people overestimate their abilities and become less careful.

This. In today's world I find myself amazed I come across people that don't realize you can just hover your mouse over a link and see where it's really sending you. The simplest of first steps. Of course there are means to circumvent this but those come into play only if the link appears legitimate. It's no different than working on a car that won't start. You do the simplest things first: check the plug wires for spark, make sure there's gas in the car and that it's actually getting to the cylinders, and so forth. Only after that do you throw your tools against the wall and pull the motor apart.

 

[struppigel]

This. In today's world I find myself amazed I come across people that don't realize you can just hover your mouse over a link and see where it's really sending you. The simplest of first steps.

This is not simple for many people. They might be able to hover over something but then still have no idea what constitutes a legitimate link. We must take those people into account. With security, with software design, with everything we build. There are young children using the Internet unsupervised, there are people with mental disabilities, there are some older people who despise technology but feel forced to use it nowadays. They all might not be able to do what we consider simple even if we train them.

 

[Jan Willy]

Fast all of my relatives and friends still hardly use in private life laptops or pc's. On their phones and tablets works mostly Android. I've never heard someone about a malware infection. It doesn't mean that they aren't at risk. E.g. they could be victim of a phishing site. Is it a bold assumption that the kind of OS is a relevant factor in internet security?

 

[Zero Knowledge]

struppigel is 100% correct. The whole IT/security industry will continue to fail miserably if we do not include the non-technical or non tech savvy/security minded folks in the solution to malware infections or hacking attempts and attacks. Not everyone has the education, time, money for protection or skills to spot a malware infection, even for us folks who are technically skilled (I don't classify myself as highly skilled) it can sometime be difficult to impossible to know your infected.

On their phones and tablets works mostly Android. I've never heard someone about a malware infection. It doesn't mean that they aren't at risk.

@ The recent Pwn2Own there were zero exploits for Apple and Google phones submitted even though huge prizes were offered. The true story is off course there are exploits for Apple and Google phones, but they are just worth so much on the open market to exploit brokers and governments that they choose not to submit any bugs.

 

[Sorrento]

I've been almost caught by clever SMS on my phone - Some look spot on & I've got to the point I don't believe a word I get via SMS anymore which means at some point I may miss a genuine message?

 

[upnorth]

never heard someone about a malware infection.

3. How do they know?
Most malware does not show signs of infection. How do people actually know their systems never got infected?
People who think they can outsmart malware, are often not using an AV that could alert them either.

Another reason why many don't admit they got infected or hit by an attack, is simply because they are embarrassed and ashamed, and when ridiculed and laughed at it's even worse. That's a major error security geek/nerds do. Pointing fingers and constant name calling 24/7 is not going to help, but much rather risk push people away that needs help. When possible, try to reach out and help instead and if one can't or is unsure how to, at least point them in the right direction.

One of those options:

Windows Malware Removal Help & Support

Get help removing adware, malware, spyware, ransomware, trojans, and viruses from Windows PCs. Follow the instructions in the pinned topics first. For security purposes, only authorized members may respond to requests for assistance.

malwaretips.com

 

[monkeylove]

Also, points like some attacks being rare and if you back up that's good enough.

 

[Victor M]

The phrase my forum folks use is to 'use common sense'. Now if only 'common' sense is common among security analysts and everyday joe's and jill's. ...

 

[plat]

Recently, I was in a hurry to test a piece of software and since it was a prev. trusted application, I rapidly clicked thru the installer dialog without reading it. Next thing I know, Google Chrome is snug and warm on my desktop--yikes! Not malware but not a wanted software either. Just one example.

Carelessness, ignorance, curiosity, naivete, absent mindedness, distractions, thinking software never changes its installation parameters--what else? You'd think a brush with malware would teach you a lesson but I've seen companies get hit multiple times. All you can do is do you.

 

[Vitali Ortzi]

Agree, completely. I have one experience which amazed me and (nearly) tricked me into entering my bank account and password.

1. I got an e- mail that I needed to confirm my details to get a new bank card

Because I had requested a new bank card (my contactless payment chip did not work any more) and the email looked authentic (it had my bank's e-mail sender address and was formated using my bank's corporate identity, colors, logo and layout) I clicked on the link. At that time to do payments, I needed that chip for an offline two factor authentication passkey calculator which generated a code which I had to enter to confirm a payment. Before my bank provided its users with a mobile app, it was still possible to login to your bank account with bank number and password for auto service (like requesting a new bank card) and secure communication with my bank.

2. When I clicked on the link, I was directed to a HTTP website which seemed like an exact copy of my bank's website.

When I was entering my bank account number, I noticed the padlock was missing (not a HTTPS website). Agitated I stopped entering my details (a confirmation screen) and made a print screen. With a sarcastic remark (regarding the fact it was a HTTP website) I send this screenprint to the general email address of my bank and continue working (at home). I did not enter my details, only the first half of my bank account number.

3. Two hours later (well after 18.00 hour) I was called by my wife (who was a bit angry) telling me our bank account was blocked (and se could not pay gasoline on a tankstation along the highway).

Luckily the tank stations have a fall back process to deal with that sort of situations, so my wife could get home. The next day I called my bank (as soon as they opened during office hours) and ask them why they had blocked our account. I got a service manager telling me they were afraid I had entered my details, because it was possible to change my e-mail address with the password only access to the website (and that were in the process of moving that functionality to more secure, two factor authentication).

Experts get fooled too and pishing is getting better with time as well and deep learning ai based pishing detection will forever play catch up so it's an endless game but you can still get access to decent feeds using a DNS like dnseu , quad9 or via extensions wich would help against popular pishing and adding good behavior too should reduce the chances but eventually you will get pished just like everyone