Update: Republished on March 27 as a new warning is issued into dangerous online document websites, with reports into campaigns actively attacking users.
The raft of recent FBI warnings hitting smartphone and computer users should not be a surprise. The threat landscape is rapidly worsening, whether from Chinese hackers penetrating U.S. networks or unpaid toll scams spiraling out of control. And much more dangerous AI-fueled attacks will soon turn all this up to eleven.
As I reported last week, the bureau is now warning website users to beware “a scam involving free online document converter tools,” with criminals using “converter tools to load malware onto victims’ computers, leading to incidents such as ransomware.”
Now the bureau has confirmed this threat is ongoing, with users continuing to fall victim. “FBI warnings are true,” says Bleeping Computer, “fake file converters do push malware.“ An FBI spokesperson told the site that “the scammers try to mimic URLs that are legit, so changing just one letter, or ‘INC’ instead of ‘CO’. Users who in the past would type ‘free online file converter’ into a search engine are vulnerable, as the algorithms used for results now often include paid results, which might be scams.”
“The best way to thwart these fraudsters,” the FBI says, “is to educate people so they don’t fall victim to these fraudsters in the first place. Every day, we are working to hold these scammers accountable and provide victims with the resources they need.” Yes, you should check URLs and avoid free ads topping search. But in reality you should not use online document converters at all — stick to established apps and platforms.
The FBI did not point out any specifics websites to avoid. Cue threat hunter Will Thomas, who has posted some example URLs on X, and Malwarebytes, which has published “some recent examples of domains involved in this type of scam:
- Imageconvertors[.]com (phishing)
- convertitoremp3[.]it (Riskware)
- convertisseurs-pdf[.]com (Riskware)
- convertscloud[.]com (Phishing)
- convertix-api[.]xyz (Trojan)
- convertallfiles[.]com (Adware)
- freejpgtopdfconverter[.]com (Riskware)
- primeconvertapp[.]com (Riskware)
- 9convert[.]com (Riskware)
- Convertpro[.]org (Riskware).”
This threat, per the FBI’s warning, bleeds into the ransomware attacks hitting organizations across the U.S., public and private, large and small.
As CBS News reports, “federal investigators suggest the file converter method of attack may be behind the February ransomware attack of a Davenport, Iowa-based media company. Lee Enterprises operates media outlets in more than 70 small-town markets throughout the country, according to its website.”
In reality, free document converters carry the same risk as the free apps that lure their way onto millions of phones, promising some sort of trivial functionality — QR code or document reader, for example, while in reality porting malware or abusing device permissions to harvest data and transmit this back to its handlers.
According to Fred Chagnon from Info-Tech Research Group (via CSO Online), there are multiple risks with using document cionverters, beyond just phishing. “Firstly, and most prominently, you can’t trust the integrity of the file you’re getting back. Even the malicious services out there will perform the actual conversion for the user.”
Beyond that, Chagnon warns, “the resulting PDF file may contain embedded JavaScript code, which executes upon launch, or in the case of a Word or Excel document, Visual Basic code, in the form of macros, could be hiding within the document. Endpoint detection and response tools can act as a layer of defense against these malicious programs, but this is not bulletproof.”
That same threat — documents hiding malware and phishing lures — is now surging, according to researchers at Cofense, with fake online tools driving the risk. The cyber team has just warned that dangerous “document websites” accounted for an alarming “8.8% of all credential phishing campaigns in 2024, showing the growing significance of this method.” This time the attacks pretend to be well-known document sharing websites rather than document conversion websites, masquerading as major brands.
“A specific mechanism to evade detection,” Cofense says, “is using online documents, such as Adobe, DocuSign, Dropbox, Canva, and Zoho. These services are often used internally and externally by companies, making the domains a trusted source when it comes to Secure Email Gateways automation. Some of these services will even email the recipient of the document directly, allowing threat actors to put little effort into their campaigns.”
Cofense says these document websites “are all trusted domains, as they are commonly used both by the public and with internal documents at companies. Therefore, many SEGs automatically allow these links to enter user email inboxes.”
In these attacks, legitimate domains are used to make easy detection all but impossible once an email or link lands on a user’s device. Cofense says the websites most commonly used in attacks belong to “DocuSign, Google Documents, Adobe, Canva, Dropbox, and Zoho… domains used in campaigns, specifically docusign[.]net, docs[.]google[.]com and drive[.]google[.]com, adobe[.]com, sharepoint[.]com, canva[.]com, dropbox[.]com, and zoho[.]com, respectively.”
Thanks to the FBI’s warning, the document conversion threat is now getting more press coverage which will increase awareness. The document collaboration threat is on a very different scale, per the Cofense report, and it requires more sophisticated email and website defenses to be deployed. The use of on-device AI to monitor for such threats when they break through cloud or server-side defenses will be critical.
At least where document conversion is concerned, staying safe is relatively easy. Per Bleeping Computer, “while not all file converters are malware, it’s essential to research them before using and check reviews before downloading any programs. If a site is relatively unknown, it is better to avoid it altogether.”
