Microsoft has confirmed to Sky News that criminals are posting counterfeit packages designed to appear like Office products in order to defraud people.
One such package seen by Sky News is manufactured to a convincing standard and contains an engraved USB drive, alongside a product key.
But the USB does not install Microsoft Office when plugged in to a computer. Instead, it contains malicious software which encourages the victim to call a fake support line and hand over access to their PC to a remote attacker.
Microsoft launched an internal investigation into the suspect package after being contacted by Sky News.
The company spokesperson confirmed that the USB and the packaging were counterfeit and that they had seen a pattern of such products being used to scam victims before.
They added that while Microsoft had seen this type of fraud, it is very infrequent. More often when fraudulent products are sold they tend to be product keys sent to customers via email, with a link to a site for downloading the malicious software.
“Microsoft is committed to helping protect our customers. We take appropriate action to remove any suspected unlicensed or counterfeit products from the market and to hold those targeting our customers accountable,” the spokesperson said.
How does the fraud work?
Martin Pitman, a cybersecurity consultant for Atheniem, recovered the fraudulent USB and package after his mother called him when she was at another person’s home as they attempted to install it.
“I was told that an unexpected USB was delivered through the post that looked to be an Office 365 product,” he told Sky News, adding that the original target of the fraud was a retired man.
It is extremely unusual for criminals to target people with postal packages, especially when the intended victim doesn’t appear to be particularly high-value.
Unlike phishing emails and other forms of online scam which can be distributed to millions of potential victims with negligible costs for the criminals, physical packages will cost a significant amount to manufacture and post, meaning they risk a much lower return on investment for criminal enterprises.
“I’ve heard of baiting attacks before and knew this could be one of those, particularly as the person was speaking to a call technician as they had run into trouble,” said Mr Pitman.
“As soon as they had plugged the USB into the computer, a warning screen appeared saying there was a virus.
“To get help and fix the issue, they needed to call a toll-free number to get the computer up and running again.
“As soon as they called the number on screen, the helpdesk installed some sort of TeamViewer (remote access program) and took control of the victim’s computer.
“Here the hackers ‘sorted’ the problem and then passed the victim over to the Office 365 subscription team to help complete the action.
“The good news was that the victim used a credit card and didn’t give over any bank details.”
Fraudulent transactions on credit cards can often be recovered or cancelled, whereas it can be extremely challenging to get a bank to refund cash that has been taken out of an account if the criminals can access it.
“I instructed the person to hang the phone up and turn their computer off,” said Mr Pitman.
“After this, I carried out a quick damage assessment and advised that they cancelled their credit card, inform the bank to put a precautionary check on their accounts, and to report the incident to Action Fraud.”
Mr Pitman praised a cybersecurity company called Saepio for helping him spread the word about the scam.
“I feel that people should know that this threat is out there,” he told Sky News.
Martin Pitman said: “The best bit of advice, either for this attack or others, is to follow the ‘Stop, Think, and Decide’ model.
“Are you expecting this parcel? Is this a product that Microsoft offers? If you do get stuck, use a search engine to find the correct helpline number, rather than trusting one provided by the suspect product.
“From a technical perspective, you should ensure your device has the latest security updates installed and your antivirus is up-to-date.
“You shouldn’t run your computer from the administrator account if you are just doing everyday tasks, it’s safer to create a new user account for those.
“You should use the National Cyber Security Centre advice on creating strong passwords by picking three random words, and also enable multifactor authentication and use a password manager.”
Microsoft’s spokesperson said: “We’d like to reassure all users of our software and products that Microsoft will never send you unsolicited packages and will never contact you out of the blue for any reason.
“You can visit this support page for guidance on how to avoid fraud and scams.
“If you wish to report fraudulent activity, you can do so by contacting Action Fraud or using the Microsoft online reporting tool.”
A spokesperson for the National Crime Agency said the scam was not something that its incident team was aware of as an organised campaign, and expected the crime to be handled at a local policing level.