Microsoft has confirmed to Sky News that criminals are publishing counterfeit packages designed to look like Office products in order to defraud people.
One such package seen by Sky News is made to a convincing standard and contains a burned-in USB drive, along with a product key.
But the USB does not install Microsoft Office when connected to a computer. Instead, it contains malicious software that encourages the victim to call a fake support line and hand over access to their PC to a remote attacker.
Microsoft launched an internal investigation into the suspicious package after being contacted by Sky News.
The company’s spokesperson confirmed that the USB and packaging were counterfeit and that they had seen a pattern of such products being used to defraud victims before.
They added that while Microsoft has seen this type of fraud, it is very rare. More often, when fraudulent products are sold, they tend to be product keys sent to customers via email, with a link to a site to download the malware.
“Microsoft is committed to helping protect our customers. We take appropriate steps to remove any suspected unlicensed or counterfeit products from the market and hold accountable those who target our customers,” the spokesperson said.
How does fraud work?
Martin Pitman, a cybersecurity consultant for Atheniem, recovered the rogue USB and package after his mother called him while he was at someone else’s house while they were trying to install it.
“I was told an unexpected USB was delivered through the post that appeared to be an Office 365 product,” he told Sky News, adding that the original target of the fraud was a retired man.
It is extremely unusual for criminals to target people with postal parcels, especially when the victim does not appear to be of particularly high value.
Unlike phishing emails and other forms of online scams that can be distributed to millions of potential victims at negligible cost to criminals, physical packages will cost a significant amount to manufacture and post, meaning they are at risk. of a much lower return on investment for criminal enterprises.
“I’ve heard of baiting attacks before and I knew this could be one of those, particularly since the person was talking to a call technician because they had gotten into trouble,” Pitman said.
“As soon as they plugged the USB into the computer, a warning screen came up saying there was a virus.
“To get help and fix the problem, they needed to call a toll-free number to get the computer working again.
“As soon as the number on the screen was called, the helpdesk installed some kind of TeamViewer (remote access program) and took control of the victim’s computer.
“Here, the hackers ‘solved’ the issue and then passed the victim on to the Office 365 subscription team to help complete the deal.
“The good news was that the victim used a credit card and did not provide any bank details.”
Fraudulent credit card transactions can often be recovered or cancelled, while getting a bank to refund cash that has been withdrawn from an account can be extremely difficult if criminals can gain access to it.
“I told the person to get off the phone and turn off the computer,” Pitman said.
“After this, I did a quick damage assessment and advised them to cancel their credit card, notify the bank to run a precautionary check on their accounts, and report the incident to Action Fraud.”
Pitman praised a cybersecurity company called Saepio for helping him spread the word about the scam.
“I feel like people should know this threat exists,” he told Sky News.
How to say secure on your computer
Martin Pitman said: “The best advice, whether for this attack or others, is to follow the ‘Stop, think and decide’ model.
“Are you expecting this package? Is this a product offered by Microsoft? If you get stuck, use a search engine to find the correct helpline number, rather than relying on one provided by the suspect product.
“From a technical perspective, you need to make sure your device has the latest security updates installed and your antivirus is up to date.
“You shouldn’t run your computer from the administrator account if you’re just doing everyday tasks, it’s safer to create a new user account for that.
“You should use the advice from the National Cyber Security Center to create strong passwords by choosing three words at random, and also enable multi-factor authentication and use a password manager.”
A Microsoft spokesperson said: “We would like to assure all users of our software and products that Microsoft will never send you unsolicited packages and will never contact you out of the blue for any reason.
“You can visit this support page for guidance on how to avoid fraud and scams.
“If you wish to report fraudulent activity, you may do so by contacting Action Fraud or using the Microsoft Online Reporting Tool.”
A spokesman for the National Crime Agency said the scam was not something his incident team was aware of as an organized campaign, and he hoped the crime would be handled at the local police level.