FBI warns of online file converter scam

In April 2024, WordPress 6.5 introduced, among other features, native support for the *.avif image format.

Most people only care about image file formats when faced with compatibility issues — Apple and its *.heic format for photos taken with the iPhone is, I think, the biggest awareness driver in this regard. I, unlike most people, spent months pondering whether the clear advantages of *.avif outweighed the universality of less efficient predecessors like *.jpg and *.png.

A few weeks ago, I decided to take the plunge and adopt *.avif for (almost) all the images in this Manual do Usuário.

Another downside of modern image formats is the lack of support. Any application that deals with images can handle a *.jpg file. But a *.avif? Good luck with that. Until just a few days ago, my workflow for these files involved generating an original image in *.jpg/*.png with the highest quality possible and then converting it using Squoosh, a web application from the Chrome team at Google.

Does it work? Yes, and it works great. However, I’m not too keen on relying on a website for my publishing workflow — it could become unavailable or even go offline.

There are some converters to/from *.avif for macOS, and there are CLI applications for this purpose, which I prefer.

I’m currently using/testing two: libavif, the official tool for the format, and cavif, from the same creator as ImageOptim. Both are excellent. I honestly don’t know which one to choose.

It was during this research that I stumbled upon a new type of online threat: scams involving online file converters. The warning comes from the FBI:

To conduct this scheme, cyber criminals across the globe are using any type of free document converter or downloader tool. This might be a website claiming to convert one type of file to another, such as a .doc file to a .pdf file. It might also claim to combine files, such as joining multiple .jpg files into one .pdf file. The suspect program might claim to be an MP3 or MP4 downloading tool.

These converters and downloading tools will do the task advertised, but the resulting file can contain hidden malware giving criminals access to the victim’s computer. The tools can also scrape the submitted files for:

• Personal identifying information, such as social security numbers, dates of birth, phone numbers, etc.).
• Banking information.
• Cryptocurrency information (seed phrases, wallet addresses, etc.).
• Email addresses.
• Passwords.

Unfortunately, many victims don’t realize they have been infected by malware until it’s too late, and their computer is infected with ransomware or their identity has been stolen.

Throw the first stone if you’ve never search for “doc to pdf” and used the first site in the results. Guilty!

Of course, there are legitimate and safe services, like the aforementioned Squoosh. We don’t always remember them, especially when our need is sporadic or in corporate environments where the installation of apps is prohibited by the IT department, leading to the use of online (web) alternatives to bypass these security policies. Oh, the irony!

There’s a whole category of powerful local applications for such tasks: FFmpeg (audio and video; command line), Handbrake (video, with a graphical interface), GraphicsMagick (command line)… All free and open source, but more complex than the simple interfaces of web applications.

It’s not my intention to create alarmism over a rare, albeit plausible, scenario (or so says the FBI). Perhaps the solution to online insecurity is indeed that old adage that the only secure computer is the one that is turned off and buried six feet deep.