{"id":2467,"date":"2025-03-25T02:34:17","date_gmt":"2025-03-25T02:34:17","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2467"},"modified":"2025-03-25T02:34:17","modified_gmt":"2025-03-25T02:34:17","slug":"fbi-warns-beware-of-free-online-document-converter-tools","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2467","title":{"rendered":"FBI warns: beware of free online document converter tools"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Improvements Microsoft has made to Office document security that disable macros and other embedded malware by default has forced criminals to up their innovation game, a security expert said Monday.<\/p>\n

David Shipley, head of Canadian security awareness training provider Beauceron Security, was responding to a warning<\/a> released by the FBI Denver field office earlier this month about the growth of a scam that uses free online document converter tools to steal information or load malware onto an unsuspecting user\u2019s computer.<\/p>\n

\u201cUsing poisoned websites that can attempt to deploy malware through unpatched browsers or using trojaned programs that deploy tools for remote access are effective ways to find alternatives to traditional phishing with malicious Office attachments,\u201d he noted.<\/p>\n

To conduct this scheme, the FBI said, \u201ccyber criminals across the globe are using any type of free document converter or downloader tool. This might be a website claiming to convert one type of file to another, such as a .doc file to a .pdf file. It might also claim to combine files, such as joining multiple .jpg files into one .pdf file. The suspect program might claim to be an MP3 or MP4 downloading tool.\u201d<\/p>\n

As well as performing the task as promised, the agency said, the malicious tools can also scrape submitted files for personally identifying information, banking information, email addresses, and passwords.<\/p>\n

Fred Chagnon, principal research director at Info-Tech Research Group, echoed the FBI warning, noting, \u201cthe concerns with using online document converters are two-fold. Firstly, and most prominently, you can\u2019t trust the integrity of the file you\u2019re getting back. Even the malicious services out there will perform the actual conversion for the user.\u201d<\/p>\n

However, he said, \u201cthe resulting PDF file may contain embedded JavaScript code, which executes upon launch, or in the case of a Word or Excel document, Visual Basic code, in the form of macros, could be hiding within the document. Endpoint detection and response tools can act as a layer of defense against these malicious programs, but this is not bulletproof.\u201d\u00a0<\/p>\n

The second, he added, is that there\u2019s no way to tell what the service is doing with the data from the uploaded files, which may contain sensitive or confidential information.<\/p>\n

Tactics are simple<\/h2>\n

Dr. Johannes Ullrich, dean of research at the SANS Technology Institute, said, \u201cthese attacks are trivial. The user is tricked into executing the malicious code by claiming the code is a file conversion utility. In the past, attackers have used what they claimed to be \u2018cracked software\u2019 (software with the license check removed) or game cheats.\u201d<\/p>\n

In this case, he said, \u201ca user will typically search Google for a tool to convert, let\u2019s say, a Word document into a PDF. Bad actors will in some cases buy Google ads, or manipulate the search ranking to have their malicious tool show up at the top [of the results list]. In some cases, they may reply to questions being asked on websites like Stackoverflow [to advertise] the malicious tool.\u201d<\/p>\n

Once the victim executes the program, said Ullrich, \u201cthe tool will run the malicious code. In some cases, the tool will just exit and appear \u2018broken\u2019 to the user. In other cases, the tool may actually perform the legitimate action as well as the malicious action.\u201d<\/p>\n

Additionally, said Vikki Migoya, public affairs officer for the FBI\u2019s field office in Denver, in an email, \u201cscammers try to mimic URLs that are legit \u2014 so changing just one letter, or \u2018INC\u2019 instead of \u2018CO.\u2019 \u00a0Users who in the past would type \u2018free online file converter\u2019 into a search engine are vulnerable, as the algorithms used for results now often include paid results, which might be scams.\u201d<\/p>\n

She said, \u201cwithin the last month, a public sector entity in metro Denver got hit with this scam and a subsequent ransomware attack.\u201d She declined to provide more information, noting, \u201cany other details including how many cases or when it first surfaced would let the scammers know what is working for them and which of their scams we have uncovered.\u201d<\/p>\n

Don\u2019t \u2018just trust the logo\u2019<\/h2>\n

Luke Connolly, a threat analyst with cybersecurity software and consulting firm Emsisoft, said the fact that the FBI has issued a warning is a good indication that this issue is fairly widespread, and should be taken seriously.<\/p>\n

Defenses, he said, include only using services from trusted vendors, using endpoint protection to scan any files from external sources before opening them, using web protection to block access to known malicious sites, and carefully inspecting the URL of any site with which you\u2019re exchanging information. <\/p>\n

Do not, said Connolly, \u201cjust trust the logo. Scammers use domain names that look convincing, but are not what they appear to be, combining \u2018rn\u2019 to look like an \u2018m\u2019 at a quick glance.\u201d<\/p>\n

IT can mitigate the risk <\/h2>\n

IT can help mitigate the risk, Shipley added, by addressing the underlying issue. \u201cUnderstanding business friction pain points like file conversion can help transform the relationship with fellow employees, turning IT and security teams from the dreaded Department of No<\/em> to the friendly Department of Know How to Do this Safely<\/em>,\u201d he pointed out.<\/p>\n

The easy answer, he said, is for IT to make sure regular users can\u2019t install software from unapproved sources and that browsers and operating systems are updated. But, he noted, \u201cthat doesn\u2019t stop someone from trying to work around controls if they think they need to do something for their job and the tools are not provided.\u201d For example, they may email the file to their private account and use an unsecured personal device to perform the conversion.<\/p>\n

The only way to mitigate this risk is through user education, and by providing the tools people need to do their jobs successfully, he added.<\/p>\n

Ullrich agreed. He said that users should be cautious about the sources of any downloads, sticking to official app stores where possible. And, he added, \u201can organization\u2019s security team should also support users by offering repositories of vetted tools. Anti-malware may help, but tends to be hit or miss.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Improvements Microsoft has made to Office document security that disable macros and other embedded malware by default has forced criminals to up their innovation game, a security expert said Monday. David Shipley, head of Canadian security awareness training provider Beauceron Security, was responding to a warning released by the FBI Denver field office earlier this […]<\/p>\n","protected":false},"author":0,"featured_media":2468,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2467","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2467"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2467"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2467\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2468"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2467"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2467"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2467"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}