Improvements Microsoft has made to Office document security that disable macros and other embedded malware by default has forced criminals to up their innovation game, a security expert said Monday.
David Shipley, head of Canadian security awareness training provider Beauceron Security, was responding to a warning released by the FBI Denver field office earlier this month about the growth of a scam that uses free online document converter tools to steal information or load malware onto an unsuspecting user’s computer.
“Using poisoned websites that can attempt to deploy malware through unpatched browsers or using trojaned programs that deploy tools for remote access are effective ways to find alternatives to traditional phishing with malicious Office attachments,” he noted.
To conduct this scheme, the FBI said, “cyber criminals across the globe are using any type of free document converter or downloader tool. This might be a website claiming to convert one type of file to another, such as a .doc file to a .pdf file. It might also claim to combine files, such as joining multiple .jpg files into one .pdf file. The suspect program might claim to be an MP3 or MP4 downloading tool.”
As well as performing the task as promised, the agency said, the malicious tools can also scrape submitted files for personally identifying information, banking information, email addresses, and passwords.
Fred Chagnon, principal research director at Info-Tech Research Group, echoed the FBI warning, noting, “the concerns with using online document converters are two-fold. Firstly, and most prominently, you can’t trust the integrity of the file you’re getting back. Even the malicious services out there will perform the actual conversion for the user.”
However, he said, “the resulting PDF file may contain embedded JavaScript code, which executes upon launch, or in the case of a Word or Excel document, Visual Basic code, in the form of macros, could be hiding within the document. Endpoint detection and response tools can act as a layer of defense against these malicious programs, but this is not bulletproof.”
The second, he added, is that there’s no way to tell what the service is doing with the data from the uploaded files, which may contain sensitive or confidential information.
Tactics are simple
Dr. Johannes Ullrich, dean of research at the SANS Technology Institute, said, “these attacks are trivial. The user is tricked into executing the malicious code by claiming the code is a file conversion utility. In the past, attackers have used what they claimed to be ‘cracked software’ (software with the license check removed) or game cheats.”
In this case, he said, “a user will typically search Google for a tool to convert, let’s say, a Word document into a PDF. Bad actors will in some cases buy Google ads, or manipulate the search ranking to have their malicious tool show up at the top [of the results list]. In some cases, they may reply to questions being asked on websites like Stackoverflow [to advertise] the malicious tool.”
Once the victim executes the program, said Ullrich, “the tool will run the malicious code. In some cases, the tool will just exit and appear ‘broken’ to the user. In other cases, the tool may actually perform the legitimate action as well as the malicious action.”
Additionally, said Vikki Migoya, public affairs officer for the FBI’s field office in Denver, in an email, “scammers try to mimic URLs that are legit — so changing just one letter, or ‘INC’ instead of ‘CO.’ Users who in the past would type ‘free online file converter’ into a search engine are vulnerable, as the algorithms used for results now often include paid results, which might be scams.”
She said, “within the last month, a public sector entity in metro Denver got hit with this scam and a subsequent ransomware attack.” She declined to provide more information, noting, “any other details including how many cases or when it first surfaced would let the scammers know what is working for them and which of their scams we have uncovered.”
Don’t ‘just trust the logo’
Luke Connolly, a threat analyst with cybersecurity software and consulting firm Emsisoft, said the fact that the FBI has issued a warning is a good indication that this issue is fairly widespread, and should be taken seriously.
Defenses, he said, include only using services from trusted vendors, using endpoint protection to scan any files from external sources before opening them, using web protection to block access to known malicious sites, and carefully inspecting the URL of any site with which you’re exchanging information.
Do not, said Connolly, “just trust the logo. Scammers use domain names that look convincing, but are not what they appear to be, combining ‘rn’ to look like an ‘m’ at a quick glance.”
IT can mitigate the risk
IT can help mitigate the risk, Shipley added, by addressing the underlying issue. “Understanding business friction pain points like file conversion can help transform the relationship with fellow employees, turning IT and security teams from the dreaded Department of No to the friendly Department of Know How to Do this Safely,” he pointed out.
The easy answer, he said, is for IT to make sure regular users can’t install software from unapproved sources and that browsers and operating systems are updated. But, he noted, “that doesn’t stop someone from trying to work around controls if they think they need to do something for their job and the tools are not provided.” For example, they may email the file to their private account and use an unsecured personal device to perform the conversion.
The only way to mitigate this risk is through user education, and by providing the tools people need to do their jobs successfully, he added.
Ullrich agreed. He said that users should be cautious about the sources of any downloads, sticking to official app stores where possible. And, he added, “an organization’s security team should also support users by offering repositories of vetted tools. Anti-malware may help, but tends to be hit or miss.”