Loading
{ "global": { "icon": "info", "start": "", "end": "" }, "responsive_group_1": { "country": "All", "usertype": "all", "icon": "info", "start": "", "end": "" }, "responsive_group_2": { "country": "All", "usertype": "all", "icon": "info", "start": "", "end": "" } }
| Help Center
[ "filter-int" ]

**Malware

Articles in this section
Recently viewed articles

Malware, short for “malicious software”, is an umbrella term used to refer to any malicious file or program i.e. trojans, viruses, worms, spyware, adware, and keyloggers.

Do NOT attempt to check any suspicious files yourself!

Users that attempt to spread malware via the platform often use custom malware that is not yet detected by antivirus vendors. Account Security will be able to determine if a file is potentially malicious by submitting it to many antivirus vendors for analysis.

What to Look For

Key points to look for:

    • Typically, malware is spread by newer accounts without a UPM
    • The account will have spammed out many invites
    • The job post will include an attachment or link to a file, most likely with one of the following extensions: .exe, .pif, .application, .gadget, .msi, .msp, .com, .scr, .hta, .cpl, .msc, .jar, .bat, .cmd, .vb, .vbs, .vbe, .js, .jse, .ws, .wsf, .wsc, .wsh, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .scf, .lnk, .inf, .reg, .doc, .xls, .ppt, .docm, .dotm, .xlsm, .xltm, .xlam, .pptm, .potm, .ppam, .ppsm, .sldm, and sometimes .pdf.

Keep in mind: a file is definitely not automatically malicious just because it has one of the above extensions. Also, the malicious file(s) might be contained within a compressed file such as a .zip, .rar, .7z, .gz, or .tar file.


Example of a malware job post where the link leads to a trojan:


Example where the attachment was a custom trojan:


Example where the malware was not included on the job post, but was sent in response to applicants:

How to Handle User Reports

All reports of potentially malicious files, or any accounts that appear to be spreading malware, will be escalated to Account Security by following this process.

  • Ensure details are provided about where the malware was found:
    • If the malware was provided off-platform: make sure the user provides a copy of it (and make sure not to open it yourself!)
    • If the malware was provided on-platform: make sure the user provides info about the job post or gives the job post link and if in Upwork Messages, take a screenshot on FL’s behalf displaying the message thread that contains the malware (do not click the links yourself!)
  • Locate the client account information:
    • To locate the client account with the job name (if the job URL is already at hand, skip to step d):
        • Sudo into FL account, click Find Work > Proposals
        • Check “Active” & “Archived” sections to view proposals submitted
        • Click the correct job name - click “View Job Posting”, then “Open in another browser” to find the job URL
        • Copy the numbers/letters located at the end of URL starting with “~” symbol i.e. ~015b6cc7b367e01db7
        • In OBO - Click “Go To” in top, left corner & select “Opening”
        • Paste the copied URL section and the CL account associated with job will come up along with job post
        • Open the CL account in a new tab by clicking on the CL username
  • Send to Account Security:

Report coming through a channel that doesn’t create a ticket? (i.e. social media / community form) Send the info via email to accountsecurity-escalations@upwork.com (internal only email address)

Process Map

Articles in this section
Recently viewed articles

Was this article helpful?

Upwork Help

Do you need additional help?

Contact Support

Get Support

Log in for personalized service and assistance.

Login

Learning Hub

Expand your Upwork knowledge.

Learn