UK scammers mailing counterfeit Microsoft Office USB drives
People who receive the drives may think they have accidentally obtained a genuine copy of Office Professional Plus
Cybercriminals in the UK are sending malicious USB drives to people in the post, in an effort to infect their systems with malware.
As covered by Sky News, scammers sent USB sticks with fake Microsoft Office suites to random addresses in what appeared to be genuine Microsoft packaging, trying to fool victims into believing they had accidentally obtained a genuine copy of Office Professional Plus - which retails for £420.
Instead of installing Office, on being plugged into a PC the USB stick would prompted the target user to call a fake support number. The cybercriminals would use this contact to convince the victim to provide remote access to their PC and hand over their payment details.
Martin Pitman, a cybersecurity researcher with Atheniem, says he retrieved the counterfeit USB and package after his mother called him while she was at someone else's house while they were attempting to install the Office software.
"I was told that an unexpected USB was delivered through the post that looked to be an Office 365 product," Pitman told Sky News.
A retired man was the original target of the fraud.
As soon as the USB was connected into the computer, a malware warning message appeared on the screen. To get their computer to work properly once again, the victim needed to contact a toll-free number to receive assistance and rectify the problem.
As soon as they dialled the number displayed on the screen, the help desk installed a remote access programme and seized control of the computer.
"Here the hackers 'sorted' the problem and then passed the victim over to the Office 365 subscription team to help complete the action," Martin added.
Microsoft is aware of the issue. A company spokesperson confirmed to Sky News that the packages and USBs were fakes, and Microsoft had previously seen similar items being used to defraud consumers. However, they said, this kind of scam is very uncommon.
Usually when fraudulent products are sold, they take the form of product keys that are sent to buyers along with a link to a malicious website that offers software for download.
Microsoft has launched an internal probe into the matter.
"We'd like to reassure all users of our software and products that Microsoft will never send you unsolicited packages and will never contact you out of the blue for any reason," said the spokesperson.
"You can visit this support page for guidance on how to avoid fraud and scams."
We saw a similar scam, although more targeted, in the USA earlier this year, when the FBI warned the US defence industry that threat actors were sending malicious drives to businesses to compromise their networks.
The FBI said the FIN7 group mailed multiple parcels through the United States Postal Service (USPS) and United Parcel Service while impersonating both Amazon and the US Department of Health & Human Services.
Those packages sometimes had Covid-19 letter guidelines. At other times they would include fake gift cards or thank-you messages. Alongside them were flash drives with the LilyGO logo, containing malware.
As soon as the device was plugged into the system, the malware registered as a Human Interface Device (HID) Keyboard, enabling it to continue to function even after the drive was removed.
It later installed other malware to deploy ransomware.