In brief: Readers of this site will know that one of the golden rules in life is never to use an unsolicited USB stick that arrives in the mail, even when it’s inside convincing Microsoft Office packaging and engraved with the Office logo. Criminals have been using the trick to scam unsuspecting victims in the UK who believed they were sent the expensive piece of software by mistake.
The baiting attack is a more elaborate version of the traditional email phishing version in which millions of people receive messages with links to supposedly free software, often one of Microsoft’s suite of programs, but they are actually downloading malware onto their device.
While mailing an engraved USB stick inside fake Office Professional Plus packaging to random people might cost a lot more than email phishing, recipients are more likely to be fooled into thinking it’s the real deal, convinced they were sent the $439 item by mistake.
Sky News reports that the storage device does not contain Microsoft Office, of course. Victims who plug the drive into their machines are met with a warning informing them that their system is infected with a virus, and the only way of removing it is to call the included toll-free number.
Martin Pitman, a cybersecurity consultant for Atheniem, explains that this is the point where the scam moves into more traditional territory. After making the call, the person on the other end of the line explains to the victim that they need to install a program to rid themselves of the virus. This is a type of remote access program (RAT) that grants the scammer complete control of the computer.
“Here the hackers ‘sorted’ the problem and then passed the victim over to the Office 365 subscription team to help complete the action,” Pitman explained.
Microsoft confirmed it is aware of the scam taking place but insisted such instances are rare. The company said it makes every effort to remove any suspected unlicensed or counterfeit products from the market. Microsoft reaffirmed that it never sends out unsolicited packages, and it does not contact people out of the blue for no reason.