Microsoft has confirmed to Sky News that criminals are releasing counterfeit packages designed to look like Office products to scam people.
One of these packages seen by Sky News is made to convincing standards and contains an engraved USB stick, as well as a product key.
But USB won’t install Microsoft Office when plugged into a computer. Instead, it contains malware that encourages the victim to call a fake helpline and hand over access to their PC to a remote attacker.
Microsoft launched an internal investigation into the suspicious package after being contacted by Sky News.
The company’s spokesperson confirmed that the USB drive and packaging were counterfeit and that they had seen a pattern of these products being used to defraud victims.
They added that although Microsoft has seen this type of fraud, it is very rare. Most often, when fraudulent products are sold, they are usually product keys sent to customers by email, with a link to a site to download the malware.
“Microsoft is committed to helping protect our customers. We are taking appropriate action to remove any suspected unlicensed or counterfeit products from the market and to hold those who target our customers accountable,” the spokesperson said.
How does fraud work?
Martin Pitman, cybersecurity consultant for Atheniem, recovered the USB key and the fraudulent package after his mother called him while she was at another person’s house while trying to install it.
“I was told an unexpected USB stick had been delivered in the post which appeared to be an Office 365 product,” he told Sky News, adding that the initial target of the fraud was a pensioner.
It is extremely unusual for criminals to target people with postal parcels, especially when the intended victim does not appear to be of particularly high value.
Unlike phishing emails and other forms of online scams which can be distributed to millions of potential victims with negligible costs to criminals, physical packages will cost a significant amount of money to manufacture and post, which which means they risk a much lower return on investment for criminal enterprises.
“I’ve heard of bait attacks before and knew it could be one, especially since the person was talking to a call technician because they had been in trouble,” Mr Pitman said. .
“As soon as they plugged the USB drive into the computer, a warning screen appeared saying there was a virus.
“To get help and fix the problem, they had to call a toll-free number to get the computer back up and running.
“As soon as they called the number on the screen, the help desk installed some kind of TeamViewer (remote access program) and took control of the victim’s computer.
“Here the hackers ‘triaged’ the issue and then escalated the victim to the Office 365 subscription team to help complete the action.
“The good news is that the victim used a credit card and gave no bank details.”
Fraudulent credit card transactions can often be recovered or reversed, while it can be extremely difficult to get a bank to refund money that has been withdrawn from an account if criminals can access it.
“I asked the person to hang up the phone and turn off their computer,” Mr Pitman said.
“After that, I did a quick damage assessment and advised them to cancel their credit card, notify the bank to carry out a precautionary check on their accounts and report the incident to Action Fraud. “
Mr Pitman praised a cybersecurity company called Saepio for helping him publicize the scam.
“I think people should know that this threat exists,” he told Sky News.
How to Say Safely on Your Computer
Martin Pitman said: “The best advice, whether for this attack or others, is to follow the ‘Stop, Think and Decide’ pattern.
“Are you expecting this package? Is this a product offered by Microsoft? If you get stuck, use a search engine to find the correct support number, rather than relying on the one provided by the suspect product.
“From a technical point of view, you must ensure that your device has the latest security updates and that your antivirus is up to date.
“You shouldn’t run your computer from the administrator account if you’re only doing day-to-day tasks, it’s safer to create a new user account for those.
“You should use the National Cyber Security Center’s guidance on creating strong passwords by choosing three random words, and also enable multi-factor authentication and use a password manager.”
The Microsoft spokesperson said, “We want to reassure all users of our software and products that Microsoft will never send you unsolicited packages or contact you out of the blue for any reason.
“You can visit this support page for advice on how to avoid fraud and scams.
“If you would like to report fraudulent activity, you can do so by contacting Action Fraud or using the Microsoft Online Reporting Tool.”
A spokesman for the National Crime Agency said the scam was not something his incident team was aware of as an organized campaign and expected the crime to be dealt with at the police level local.