The risks of using free file conversion tools online

In the first 10 months of 2024, Kaspersky detected and blocked 346 million web-based threats across APAC*. Web-based threats encompass a broad range of cyber risks that may trigger harmful events or actions via the internet. According to Kaspersky experts, one such risk involves using free online services to convert file formats, which they warn can expose users to cyberthreats. These websites offer fast and free conversion of a *.pdf file into *.doc, or a *.heic image file into *.jpg, for example. Individual and corporate users who deal with file conversion regularly often use these in a hurry and may overlook some risks associated with these ‘free’ tools. 

Software for desktop and mobile operating systems that can perform these conversion tasks is available, but often requires a subscription price which many users are unwilling to pay for. And in corporate environments this software can be unavailable for fast and easy installation. As a result, users turn to free online services. Yet, there are serious cybersecurity risks associated with using free online services to convert images, documents, and other file types. 

Below are some of the potential risks for both individual and corporate users.

1. Data Privacy Risks

• Exposure of sensitive information: When you upload files to these services, you risk exposing sensitive or confidential data to the service provider. This can be particularly concerning for corporate users, as the files may contain proprietary or customer information.

• Data retention policies: Many free services do not clearly specify how long they retain the files you upload, or whether they delete them after processing. Files could potentially be stored indefinitely. 
• Unauthorized use of data: Some services might claim ownership rights over files or data uploaded to their platform through ambiguous terms of service, which can lead to misuse of proprietary or personal content.
• Companies in regulated industries (e.g., healthcare, finance) may violate laws by uploading sensitive files to unapproved third-party services. This can lead to hefty fines and reputational damage.
• If a service provider is hacked, files stored on their servers may be leaked, exposing sensitive information.

2. Malware and Phishing Threats

• Malicious Code Injection: Some dubious services might modify files or include malicious code in the output, such as embedded scripts in PDFs or image metadata.
• Phishing Sites: Fake file conversion websites might be set up to steal sensitive information, such as user credentials, especially if login or subscription is required.

3. Man-in-the-Middle Attacks

• Attackers could intercept files if the service uses insecure communication protocols or if the website itself is compromised.

“While free online file conversion services offer undeniable convenience, they represent a growing cybersecurity blind spot, especially as digital workflows increasingly rely on solutions that are supposed to be fast and convenient. The real danger lies not just in the immediate risks of data exposure or malware but in how these services might evolve. As more users entrust sensitive files to such platforms, the incentive for cybercriminals to exploit them will only grow. We could see the rise of advanced phishing schemes or even AI-driven attacks, where malicious actors leverage uploaded files to target users with precision. For corporate environments, the reliance on these services could lead to systemic vulnerabilities, especially as regulatory bodies tighten scrutiny on data handling practices. What feels like a harmless shortcut today could become the Trojan horse of tomorrow,” comments Marc Rivero, Lead Security Researcher, Global Research and Analysis Team, Kaspersky.

Here’s how to minimize risks:

1. Use Trusted Services: Only use reputable and well-known file conversion platforms that have clear privacy policies and data handling practices.
2. Check Security Features: Ensure the site uses HTTPS and preferably end-to-end encryption for file transfers.
3. Read Terms and Policies: Understand how the service handles, stores, and deletes uploaded files.
4. Use Offline Tools: For sensitive or confidential files, consider using offline or local software instead of online services.
5. Corporate Guidelines: Follow your organization’s IT security policies and use approved tools for document handling and conversion.
6. Avoid Reusing Credentials: Never use corporate or sensitive credentials on third-party platforms.

* These detects come from Kaspersky’s main line of B2B and B2C solutions.