iThe FBI Denver field office has issued a warning about cybercriminals using fake online document converters to steal sensitive data and deploy ransomware on victims' devices. Reports of these scams have been increasing, prompting authorities to urge users to be cautious and report incidents.
"The FBI Denver Field Office is warning that agents are increasingly seeing a scam involving free online document converter tools, and we want to encourage victims to report instances of this scam," the agency stated.
Cybercriminals create fraudulent websites that offer free document conversion, file merging, or media download services. While these sites may function as expected, they secretly inject malware into downloaded files, enabling hackers to gain remote access to infected devices.
"To conduct this scheme, cybercriminals across the globe are using any type of free document converter or downloader tool," the FBI added.
These sites may claim to:
- Convert .DOC to .PDF or other file formats.
- Merge multiple .JPG files into a single .PDF.
- Offer MP3 or MP4 downloads.
Once users upload their files, hackers can extract sensitive information, including:
- Names and Social Security Numbers
- Cryptocurrency wallet addresses and passphrases
- Banking credentials and passwords
- Email addresses
Scammers also use phishing tactics, such as mimicking legitimate URLs by making slight alterations (e.g., changing one letter or replacing "CO" with "INC") to appear trustworthy.
“Users who in the past would type ‘free online file converter’ into a search engine are vulnerable, as the algorithms used for results now often include paid results, which might be scams,” said Vikki Migoya, Public Affairs Officer for FBI Denver.
Cybersecurity experts have confirmed that these fraudulent websites are linked to malware campaigns. Researcher Will Thomas recently identified fake converter sites, such as docu-flex[.]com, distributing malicious executables like Pdfixers.exe and DocuFlex.exe, both flagged as malware.
Additionally, a Google ad campaign in November was found promoting fake converters that installed Gootloader malware, a malware loader known for:
- Stealing banking credentials
- Installing trojans and infostealers
- Deploying Cobalt Strike beacons for ransomware attacks
"Visiting this WordPress site (surprise!), I found a form for uploading a PDF to convert it to a .DOCX file inside a .zip," explained a cybersecurity researcher.
Instead of receiving a legitimate document, users were given a JavaScript file that delivered Gootloader, which is often used in ransomware attacks by groups like REvil and BlackSuit.
In order to stay safe,
- Avoid unknown document conversion sites. Stick to well-known, reputable services.
- Verify file types before opening. If a downloaded file is an .exe or .JS instead of the expected document format, it is likely malware.
- Check reviews before using any online converter. If a site has no reviews or looks suspicious, steer clear
- Report suspicious sites to authorities. Victi
- ms can file reports at IC3.gov.
- While not all file converters are malicious, thorough research and caution are crucial to staying safe online.
