I am confronted with an Email that had a foul link. Unfortunatly I had been warned to late that it is a password stealer. I don’t think that it works with Linux but I should prefer to check it.
ClamAV didn’t find anything.
Does anyone have any suggestions if there is another programme I should in such a case?
Did you follow the link?
No matter what it truly ™ was …
Ask yourself:
How could it steal or have stolen any password - if you didn’t follow the links and did indeed provide actual credentials?
“They” might know that the e-mail address is valid if you followed the link.
But that is the extent of it …
Chill - if you didn’t provide any actual credentials.
If you did - be smarter next time - and change them immediately.
There is a logical gap in this story - I’m curious how the statement ‘an email that had a foul link’ led to ‘I had been warned too late that it is a password stealer’. Does this mean you actually downloaded something from the link in an email?
Surely just downloading something couldn’t enable it to do anything unless you deliberately tried to execute the file somehow?
Where did this ‘warning’ come from? If you were warned, doesn’t that mean you already have a way to check it?
So this is (for us) purely speculating to understand your situation; where did the analysis that it’s a password stealer come from? Also, why would you decide that it doesn’t work with Linux?
So the way to deal with this would be to copy the suspicious URL and paste it into a service like ‘VirusTotal’ or something.
Why didn’t you share more information? It seems unlikely that you can find software to manage this for you…
This would be a SOCIAL engineering problem, not a malware problem.
But then to suggest that you tried using ClamAV - which is designed to scan for malware running on the system, not to scan inside emails.
This kind of paranoia would be reinforced by any kind of web search, leading you to feel more threatened and more in need of a licence to pay for and run some kind of ‘Super Security Scanner’ ■■■■■■■■ before you fire your browser up every morning.
If you did this, then restore a snapshot to undo any changes.
If any such file requested elevated privileges (pkexec, sudo, or GUI prompt) then you’d have to be very deliberate to enable it… there is no defence against this.
To some extent, this is a good advertisement for Wayland, as simple xinput or evdev keystroke loggers would be harder to implement…
Malware won’t be able to read encrypted browser login data to steal passwords…
You are creating an XY problem for yourself - searching a solution when you have not given sufficient information about what happened.
This kind of ‘Fuzzy Paranoia’ is a huge problem, and it’s a reason that many companies make millions of bucks selling huge ‘umbrella’ style invasive security suites that alert you that they are ‘protecting your very existence’ every time you touch your mouse.
A lot have been said - the best tool is 
located behind your 
.
Never follow a link in a message - even more true for a message read on a handheld device.
Always open the the genuine website in a secondary browser window.
Example:
A co-worker of mine - responsible for maintaining domain renewals - got an mail a couple a days ago. She forwarded the mail to me and asked if it was suspicious - and I replied - yes, it is - don’t follow link.
I didn’t think of it - but some of her wordings were of - so I had to call her - and she had followed the link but our boss became suspicious when he should acknowledge the transaction - which was why she sent the mail in the first place.
It turned out she had supplied the fisherman with credit card details - so I immediately had to advise - call the bank and block the card - I sure hope they did.
Especially a message that seems to suggest urgency, or time sensitive.
Always check with the service via your normal method, Never via a link in an email, or an SMS text.
It’s strange, but I remember the onset of the ‘modern interface’ which tends to obscure finer details (showing sender names, but not really making the email or origin stand out..).
How shocking it was back then that an email could open a very genuine looking website advising you that your Facebook page had been compromised - enter your password to continue…'.
Using Windows - late Windows 98 - I remember that just visiting websites could invite ‘drive-by’ downloads.
The next big thing was that after you download an installer where ‘Click to continue…’ doesn’t mean ‘continue to install something completely unrelated to the thing you want’.
CCleaner is one of the examples I remember prominently.
Modern email has filtering - all of my Shopee and Facebook notifications/communications are filtered properly, so I have safe zones.
Nearly everything outside that sandbox is to be treated with the utmost paranoia, as there are millions of poor folks sitting in makeshift offices (recent news brought to light the Thailand-Cambodia scuffle being actually a squabble amongst the ‘elites’ who get rich by running such scammy operations along the sparsely inhabited border regions).
It was the 1990s that cemented this as the primary vector; I’d say at least 70 to 90% of risks come through exploiting human psychology and not technical vulnerabilities.
The more recent AUR issues highlighted this fact also - they were not targeting ‘Arch Users’ per-se… they were targeting ‘dumb folks who think they can get an improved, patched, or otherwise more convenient install for Chrome than the Chrome binary from the official source’.
94% are Social attacks via Email - fully cross platform in most cases 
We’ve moved on from ‘We have detected a trojan, click to scan…’ appearing on our Android phones 
one of the funniest events after installing Linux were those ‘Threat Detected! Click to scan your PC for Malware’ popups.
Unfortunatly: yes
and what happened when you did?
I tried to download but I don’t know if the download worked. I think not; but I am not sure.
The situation is a little bit difficult to explain. The Email-adress of a company seems to be hacked. The CEO warned its businesspartners about the dangerous mail. A friend of mine got the mail and the warning. I only the mail. But the friend sent me the warning, after I have had become worried because of the not opening attachement. The warning mail says, that the attachment and the link are password stealer. No more information. I have tried to contact the CEO but he doesn’t know more. I have only found out that he recieved a similar mail a few days before. (Unfortunatly he wasn’t paranoid…) His IT told him, thats a password stealer. I hope I shall get some more informations.
PS: ClamAV seems to have the possibility to scan E-Mails.
Nothing.
If nothing happened - no credentials where stolen
If there was a website, and someone fell for it’s design, and put in some valid credentials into it, then … these would be “stolen” - even though they where actively and even halfway consciously voluntarily given …
Change these no longer secret credentials - and all that happened was that some crook knows that the e-mail address is a valid one.
Precisely.
So long as you didn’t enter any real username and passwords into a seemingly real login screen. Nothing will happen.
For malware to work on Linux, it requires
Otherwise anything that might have been downloaded is useless.
The term ‘password stealer’ is really too general. I would expect that anyone genuinely warning (and not just shouting ‘They Sky Is Falling In’ would include any specific and detailed analysis or explanation available, however technical.
Any information stolen (if someone did already click and get infected) is already available to use for identity theft, fraud (more targetted phishing, or social engineering)… so this is your focus for defence; not the ‘malware’ itself.
ClamAV is designed to scan for Windows viruses and isn’t likely to detect a sophisticated Linux threat (but that would have to be a targeted Linux threat, not a general email which is likely targetting Windows).
Make sure you start using unique passwords, 2FA or passkeys for important accounts - starting with your Manjaro account then maybe later on check your emails, banking passwords - and eliminate any re-used passwords.
For me, this was my habit of basing passwords on ‘childhood questions’ (mother’s maiden name, birthdate numbers plus one or two symbols). More recently, it wasn’t such a bad password but certainly could have been avoided by using 2FA.
Your statements:
Again, confusing… partly because of your English… it is not clear that you are worried because of the ‘not opening attachment’ or because YOU tried to open it.
Did you download it? Was it executable? What was it?
The only people who need to worry about direct infection are people who know the answers to these questions and interacted with it directly.
Sorry! I know I am a little confusing.
The simple facts:
I clicked on the link. → No visible reaction.
Infos from the CEO: The link is a password stealer; it has stolen his Email-passwords; I should change my passwords; No more informations.
The lack of information is the reason why I want to check my system.
A highly dubious claim.
The crooks got passwords because he gave them to them.
They where not “stolen”, they where effectively given to them / handed to them - by the CEO.
or they where so easy that some simple trial and error would have quickly succeeded
If your passwords are in your head, they can’t be stolen - but you can be duped into providing them …
What are Email-passwords, btw?
Probably nothing happened, since most if not all of the automated scripts that work without user intervention are for windows and outlook.
I am curious to see the source code of the message, if possible. It can answer a lot of questions.
A good suggestion (just in case).
Checking your system regularly is advisable no matter which OS you happen to use.
ClamAV is a popular (and free) Antivirus system for Linux:
However, as you seem to be in a work environment, Bitdefender have a range of solutions for the enterprise (not free):
Naturally there may be other solutions available, but none that we are at liberty to recommend – I’m afraid you will need to research those yourself. Perhaps your “CEO” can invest a little more significantly in security and ongoing training for staff.
Is there anything else we can help you with today?
Ah, so you have a CEO with no brains… or at least this CEO is trying to blag themselves out of admitting their fault and saying 'something terrible happened to me, I clicked MY email passwords away so I will issue an important message telling everyone else they must change theirs (even though it was MINE that were compromised, not theirs).
I lost my house key, you should change YOUR locks?
My cat is dead, you should get a new dog?
Come on… I think this topic is now ended.
Thank you for clarifying the situation.