“Uploading to malware-scanning websites leads to data leaks.

Companies accidentally leave confidential files on the Internet that are open for third parties to download. This is done by uploading files to malware-scanning websites, which then publish everything.

White-hat hackers at security company Cyjax report that, for example, IT personnel and security researchers submit to free malware scanning services to check for malware. However, they are then unaware that these files are accessible to everyone.

These websites open files in secure sandboxes to detect malicious behaviour. For example, companies send email attachments to these sites to check for malware. However, many companies do not know that the sites publish the submitted documents.

“These services allow anyone to upload a file and then generate a report on what happens when the file is opened, giving an indication of whether the file is malicious or benign,” said the Cyjax Cylab team. “The chosen services all have public feeds and do not require any payment to download or view the public entries.

Sensitive documents

By reviewing three of these services earlier this month, Cylab hackers were able to collect more than 200 documents. These were mainly purchase orders and invoices. In some cases, however, they also found more sensitive information. This includes, for example, legal documents, insurance forms and government documents that contain personal information.

The more everyday files alone, such as purchase orders, can reveal many of a company’s internal processes. In this way, cybercriminals can obtain enough information to carry out a targeted attack. The Cylab team noted that many organisations had no idea that the uploaded documents were accessible to everyone. According to Cyjax, companies should therefore consider offering their own tool, or at least train employees in the use of such sites.