- Fake PDF converters are tricking users with cloned sites and fake CAPTCHAs
- PowerShell command installs malware that steals browser and crypto wallet data
- Attackers use realistic designs and social engineering to avoid detection
Cybercriminals are using fake PDF converters to install powerful malware on victims’ systems, experts have warned.
Research from CloudSEK found attackers are cloning popular file conversion websites like pdfcandy.com – replicating its logo and brand elements – in order to trick users into downloading malicious software.
CloudSEK says these fake sites look almost identical to the real ones. When someone tries to convert a file, the page shows a fake loading screen and then prompts for a CAPTCHA verification. Instead of just confirming the user is human, this step leads to an instruction to run a PowerShell command. Following the command downloads a zip file containing malware known as ArechClient2, part of the SectopRAT family of information stealers.
Collecting personal data, and worse
The malware uses a number of hidden methods to infect the system. It spawns normal Windows processes to hide its activity and begins collecting browser passwords, crypto wallet information, and other sensitive data. Once the malware is active, it can quietly send stolen information back to the attackers, CloudSEK reports.
The FBI has already warned that online file converters are becoming a popular way for criminals to spread their malware. CloudSEK’s research shows that attackers are improving their methods, cleverly blending realistic website designs with social engineering tricks in order to lower users’ defenses.
With online tools becoming part of everyday work and personal life, it’s important to know how to avoid these threats.
How to stay safe
The best way to protect yourself is to avoid clicking random search results for online file converters. Always visit known official websites directly.
In addition to that, always double-check the website address for small spelling changes that might be easy to miss.
For a good starting point, check out our round up of the best PDF editors, and the best free PDF editors. We also recommend the best Adobe Acrobat alternatives.
Staying cautious when uploading documents online can stop many of these attacks before they start.
Keep your antivirus software up to date (you’re doing this anyway, right?) and scan any downloaded files before you open them. Installing browser extensions that block suspicious or dangerous sites can also help.
If a website asks you to run PowerShell commands or download extra files after uploading a document, close the page immediately.
Finally, if you think you’ve been tricked, disconnect the device from the internet right away, change all important passwords from a safe device, and let your bank or service providers know as soon as possible.
