Cybersecurity, Policies and Training

Cybercriminals Selling Stolen Windows Credentials on eBay

The dark Web serves as a clearinghouse for much of the personal information, company data, and log-in credentials stolen through cyberattacks. However, these clandestine marketplaces are narrowly confined to those willing to engage in criminal behavior to get access to illicit data. Some cybercriminals appear to be branching out and are selling illegally obtained user credentials for popular (and typically costly) software to folks looking to save a few bucks.

Busy office with workers at computers /

Security expert Brian Krebs heard from a reader earlier in January about a purchase he made on a digital copy of Microsoft Office® 2016 Professional Plus, for which the user paid the bargain basement price of $3.97. For reference, a one-time license for Office Professional 2019 (Microsoft does not offer the 2016 software for sale anymore) runs $439.99; or, you can buy into Office 365, which will run you $70 per year for a single PC personal license or $8.25 per user per month for its entry-level business offerings.

Krebs posted the contents of the e-mail from the seller (“Newhotsale38” who is based in Vietnam) that his reader received following his purchase. The message is full of the red flags you’d expect from such a sale:

  • The purchased product (Office 365) is different from the advertised product.
  • There is no license key, as you might expect if you purchased a single-install version of Office; instead, the buyer must log in using a username (misspelled in the e-mail) and password provided by the seller.
  • The buyer cannot change the e-mail address associated with the account, which, as Krebs points out, means that the original account owner can still assume control over the license.

So, at the end of the day, you (or your employees if you purchased multiple credentials) could find yourself without access to your super cheap software solution.

Even more fun, the reader points out that during setup, the illicit version of the program prompted them to “sync all data and documents over to a 5-terabyte Microsoft OneDrive account.” This means that for those among us that click through software setup screens without reading, the account owner (in this case the seller) would have unfettered access to any data that made it to the attached cloud storage. There were additional permissions scattered throughout other programs (such as OneNote) that gave the seller administrative control.

Protecting Credentials and Real ‘Shadow IT’ Concerns

While these kinds of installs are unlikely to have any direct effects on an enterprise’s IT assets, there are a couple of major issues for cybersecurity professionals to keep in mind. First, these credentials had to come from somewhere, and they were likely stolen during a hack. This story highlights the ongoing need to reinforce proper cyberhygiene practices with the end users at your organization. All it takes is one phishing attack for a hacker to gain access to a network where they can vacuum up credentials for resale.

The other, less visible angle here relates to your organization’s bring your own device (BYOD) policy. More specifically, if your organization allows its employees to work from home on their own equipment, can you be sure that they are using authentic software purchased from the developer, rather than using a pirated copy? Again, it comes down to communicating proper cyberhygiene practices and directly discussing these kinds of hazards before allowing anyone work-from-home privileges.

Obviously, these are not the only solutions, but creating a security policy that fosters an open dialogue will go a long way to prevent these kinds of security problems.