Surely this situation is familiar: you have a PDF file and you need to turn it into .doc to edit it in Word. An option would be to pay the Premium version of Adobe Acrobat, which allows you to do it, but most likely we seek to “convert PDF to Word” into Google, we access an online tool and upload the PDF without the slightest prevention. Well, this action, so innocent in appearance, can end up regular, as they have warned from the FBI.
What happened. The FBI office in Denver has issued an official statement in which they claim that its agents “are increasingly detecting more scams related to free online document conversion tools.” The modus operandi is relatively simple: “criminals use free online document conversion tools to load malware in victims computers, giving rise to incidents such as ransomware.”
How do they. From the agency they explain that cyberdelicuents are using free conversion or unloading tools. Although they do not give concrete names, they cite that the attack vector can be a website that promises to convert a PDF to Word or combine several images in PDF, or a tool to download videos and/or convert MP4 into MP3. It is easy to imagine examples of these tools.
They work, but they go with a bug. These tools can work and comply with what is promised, but nothing guarantees that the returned file is not infected. PDFs can contain malware, such as a JavaScript code that exploits vulnerability or sets a process through commands on our PC. An MP3 can also be infected, although not infecting itself, but exploiting vulnerability in a player, for example. That is, the options are varied.
In an online file converter you have to take into account which files returns us and what we do with those we have uploaded
Who is looking at. Beyond returning an infected file, these tools can obtain valuable information from us another way: seeing the files we have uploaded. If we have uploaded a PDF with our mail and telephone number (we think of a CV), it is possible that whoever is behind the malicious website uses this information for little lawful purposes. Let’s not talk about bank information, passwords, photos in which we leave, etc.
The importance of going with an eye. It should be noted that not all online tools are malicious, much less. That a website has a privacy policy where they clearly explain what they do with your files, contact information and that is known is already a good indicative. When in doubt, it is always a good idea to pass the files generated by a platform as Virustotal.
Cover image | Nao Triponez and Markus Spiske edited by WorldOfSoftware
In WorldOfSoftware | If you use cable headphones, you are vulnerable: they are a caramel for hackers
