If you’ve ever searched for a free way to convert a PDF to Word, or combine a few images into a PDF, there’s a good chance you’ve used an online file conversion tool. But according to a recent warning from the FBI, those “free” tools may come at a much higher cost than you bargained for.
In a public alert issued earlier this month, the FBI Denver Field Office warned that scammers are increasingly using fake document conversion and download tools to infect victims’ devices with malware – including ransomware – and to harvest sensitive personal information from uploaded files. These malicious sites often impersonate legitimate tools, mimicking popular domain names or appearing in sponsored search engine results to lure unsuspecting users.
Read more: FTC Warns of Dangerous Scam Tied to Anonymous Surprise Packages
The FBI reports these scam sites often work as promised – they’ll convert your document or download your video – but they also embed hidden malware in the resulting file. In other cases, attackers don’t even bother with the conversion and simply deliver a malicious executable or JavaScript file under the guise of a converted document.
Worse, these sites may scrape the documents you upload for information like Social Security numbers, banking credentials, cryptocurrency wallet addresses, and login passwords. It’s not just your device that’s at risk – your identity and finances could be compromised as well.
According to BleepingComputer, independent researchers have confirmed that sites such as pdfixers[.]com and docu-flex[.]com distributed malware-laced files. Other attacks have used Google ads to promote bogus converter sites that actually delivered the Gootloader malware, a sophisticated infection tool known to spread banking trojans, data stealers, and ransomware payloads like REvil and BlackSuit.
So, here’s my advice: Stop using online file converters entirely. I know that’s a strong statement, but this is a case where the risk far outweighs the reward. For the average internet user, it’s nearly impossible to tell which sites are legitimate and which are traps. Even links that look familiar can be slight variations of trusted domains – one character off, or using a different top-level domain (.co instead of .com).
Read more: Beware of the New Gmail Scams That Are Fooling Security Pros
Instead, use the tools built into the software you already trust. Microsoft Word, for example, can open and save PDF files, allowing you to convert between Word and PDF without leaving your computer. And for image or basic format conversions, AI tools like ChatGPT can handle tasks such as turning a JPG into a PNG, or even extracting text from PDFs, without exposing your files to unknown websites.
This is also yet another reason why malware protection is essential. I use Bitdefender on my PCs, but the brand matters less than simply having a solid, up-to-date antimalware solution installed. Any reputable antivirus program from a major vendor is better than no protection at all.
If you’ve already used one of these converter sites, and especially if you downloaded a file that ended in *.exe or *.js, run a full malware scan immediately. The FBI also encourages victims to report suspicious activity to www.ic3.gov.
[Image credit: Concept drawing of file download warning Techlicious/DALLE]
