FBI warns about online file converter sites which install malware, steal private information

Popular online tools that convert '.pdf,' '.doc' and '.jpg' files to a different format are being mimicked by scammers who offer similar services but instead maliciously install malware and ransomware onto users' computers or steal private information straight from the uploaded files, according to federal authorities. 

The Denver office of the Federal Bureau of Investigation recently announced a noticeable increase in the number of free online converters that misrepresented their services. These have resulted in consumer losses.

The schemes come from across the globe.

"The best way to thwart these fraudsters is to educate people so they don't fall victim to these fraudsters in the first place," FBI Denver Special Agent in Charge Mark Michalek stated in a press release. "If you or someone you know has been affected by this scheme, we encourage you make a report and take actions to protect our assests. Every day, we are working to hold these scammers accountable and provide victims with the resources they need."  

The fake converter sites often advertise their ability to convert or combine customers' files for no cost. But malware accompanies the returned files and give criminals access to the victim's computer, according to the FBI. 

The converter sites also "scrape" the submitted files for personal information, particularly social security numbers, passwords, and data about bank accounts and cryptocurrency.  

The agency advised consumers to study a converter site closely and keep their virus software up to date. 

Unfortunately, however, many victims don't realize they have been infected by malware until it's too late, and
their computer is already infected with ransomware or their identity already stolen, as described by the FBI. In that case, contact your financial institutions immediately, change all passwords from a different device, and file a report at IC3.gov. Also, any infected devices may need to be taken to a professional for the removal of viruses and malware. 

Federal investigators suggest the file converter method of attack may be behind the February ransomware attack of a Davenport, Iowa-based media company. Lee Enterprises operates media outlets in more than 70 small-town markets throughout the country, according to its website. The company filed a report with the U.S. Securities and Exchange Commission on Feb. 12: 

On February 3, 2025, Lee Enterprises, Inc. ("Lee" or the "Company") experienced a systems outage caused by a cybersecurity attack. Upon
discovery, Lee activated its incident response team, comprised of internal personnel and external cybersecurity experts retained to assist in addressing the incident.

Preliminary investigations indicate that threat actors unlawfully accessed the Company's network, encrypted critical applications, and exfiltrated certain files. The Company is actively conducting forensic analysis to determine whether sensitive data or personally identifiable information (PII) was compromised. At this time, no conclusive evidence has been identified, but the investigation remains ongoing.

In coordination with legal counsel, the Company has notified the relevant law enforcement about the matter, and will notify relevant federal and state regulatory bodies, and applicable consumer protection agencies, as necessary.
The incident impacted the Company's operations, including distribution of products, billing, collections, and vendor payments.

Distribution of print publications across our portfolio of products experienced delays, and online operations were partially limited. As of February 12, 2025, all core products are being distributed in the normal cadence, however weekly and ancillary products have not been restored. These products represent five-percent of the Company's total operating revenue. The Company anticipates a phased recovery over the next several weeks.   

March 3, several publications specializing in cybersecurity posted articles about a Russian-speaking ransomware group claiming responsibility for the Lee Enterprises hack. Qilin reportedly threatened to publicly release data about the company's investors, finances and newsgathering records on March 5. 

It does not appear that information was published. 

Spokespersons for Lee Enterprises have not commented publicly about any negotiations or resolution with the source of the attack.