Buying popular software online at greatly reduced prices from second-hand sources has always been a dubious security proposition. But buying heavily discounted licenses for cloud-based subscription products like recent versions of Microsoft Office can be an extremely risky transaction, mainly because you may not have full control over who has access to your data.
Last week, KrebsOnSecurity heard from a reader who had just purchased a copy of Microsoft Office 2016 Professional Plus from a seller on eBay for less than $ 4. Let’s call it Red Flag # 1, because a legitimately purchased license of Microsoft Office 2016 will always cost between $ 70 and $ 100. Nonetheless, nearly 350 other people had made the same purchase from this seller in the past year, according to eBay, and there appear to be many auctioneers like this.
After purchasing the item, the buyer has declared that they have received the following explanatory (exclamation?) Email from the seller – “Newhotsale68»From Vietnam:
Hello my friend!
Thank you for your purchase:)
Very important! Office365 is a subscription product and does not require any KEY activation. Account + password = free use for life
1. Login with the original password and the official website will ask you to change your password!
2. Make sure you remember the new changed password. Once you forget your password, you will lose Office365!
3. After changing your password, log into the official website to start downloading and installing Office365!
Your account information:
* USERMANE: (username sent)
Initial password: (password sent)
Access link to Microsoft Office 365:
Sounds legitimate, right?
This merchant appears to be reselling access to existing Microsoft Office accounts, as to use this purchase, the buyer must log into Microsoft’s site. using someone else’s username and password! Let’s call this red flag # 2.
More importantly, the buyer cannot change the email address associated with the license, which means that the owner of that address can probably still assume control of the licenses attached to it. We will call this Ginormous Red Flag # 3.
“The username you use to register and activate Office is the one they provide to you in their email when you purchase the license on eBay,” wrote the reader who alerted me to this questionable transaction. “You never use your own email account to sign up, you have to log in with theirs. Once you are in the account, you cannot change your email account username because the administrator has locked it.
This is what the profile looked like when the reader tried to edit the license details.
This version of Office prompts the user to sync all data and documents to a 5TB Microsoft OneDrive account. What could go wrong?
“You can sign out of their Microsoft account to break the connection to the OneDrive account,” the reader said. “By default I signed in and bet most people who install it just click next and stay signed in.”
That’s not all: the account has been set up in such a way that the administrator (salesperson) retains control over specific applications on the Office installation, including A note and Class book.
“I guess the end result of all of this might be the old adages, ‘you get what you pay for’ and, ‘if it sounds too good to be true than it probably is,'” said the reader at the end of his email.
I couldn’t have said better myself.