The Federal Bureau of Investigation (FBI) announced in a press release a new type of scam that involves threat actors using free online document converters to stealthily install malware into their victims’ computers or smartphones, leading to a theft of sensitive information and exploits such as ransomware.
The FBI says, “In this scenario, criminals use free online document converter tools to load malware onto victims’ computers, leading to incidents such as ransomware.”
“To conduct this scheme, cyber criminals across the globe are using any type of free document converter or downloader tool. This might be a website claiming to convert one type of file to another, such as a .doc file to a .pdf file,” says the press release.
“It might also claim to combine files, such as joining multiple .jpg files into one .pdf file. The suspect program might claim to be an MP3 or MP4 downloading tool.”
This report comes from the FBI Denver Field Office who says agents are becoming increasingly aware of these types of attacks. It is explained that many ransomware attacks are often initiated on users who searched for “free online file converters” on popular search engines such as Google, Safari, Edge, etc. These users often click on paid advertisements that appear prominently in the search results, which direct them to websites distributing ransomware.
The FBI says that inasmuch as the converter and downloading tools will initially do the intended assignment by reading through the file and converting as per the instruction of the user, it is the resulting file that deploys the malware attack.
“The resulting file can contain hidden malware giving criminals access to the victim’s computer. The tools can also scrape the submitted files for Personal Identifying Information (PII), Banking Information, Cryptocurrency Information (Seed phrases, Wallet Addresses), Email Addresses, and Passwords,” adds the report.
On how the attack is further carried out, Vikki Migoya, the Public Affairs Office for FBI Denver tells Bleeping Computer that, “The scammers try to mimic URLs that are legit – so changing just one letter, or ‘INC’ instead of ‘CO.’”
Malwarebytes also explains how the cyberattack might be carried out in many ways, one of which is that “in the most sophisticated scenario, the so-called converted file contains malware code that downloads and installs an information stealer and everyone who opens it will get their device infected.”
In their report, they listed a number of domains that are examples of IOCs involved in this type of scam:
- Imageconvertors[.]com (phishing)
- convertitoremp3[.]it (Riskware)
- convertisseurs-pdf[.]com (Riskware)
- convertscloud[.]com (Phishing)
- convertix-api[.]xyz (Trojan)
- convertallfiles[.]com (Adware)
- freejpgtopdfconverter[.]com (Riskware)
- primeconvertapp[.]com (Riskware)
- 9convert[.]com (Riskware)
- Convertpro[.]org (Riskware)
To be safe against these types of attacks, it is advised to have an active anti-malware protection on your devices and a browser extension that blocks malicious sites.
The FBI also advises that people should be increasingly aware of their actions online as well as the types of risks they could be exposed to. And in a case of an attack, the Denver Field Office recommends that an immediate report should be made to the victim’s financial institutions in order to protect their identity and accounts, as well as a report made to IC3.gov.
It is also advised that a password change should take place on a clean and trusted device, and an up-to-date scan for a virus software should be done, checking for potential malicious software installed by scammers.
