08
Jan 19

Dirt-Cheap, Legit, Windows Software: Pick Two

Buying heavily discounted, popular software from second-hand sources online has always been something of an iffy security proposition. But purchasing steeply discounted licenses for cloud-based subscription products like recent versions of Microsoft Office can be an extremely risky transaction, mainly because you may not have full control over who has access to your data.

Last week, KrebsOnSecurity heard from a reader who’d just purchased a copy of Microsoft Office 2016 Professional Plus from a seller on eBay for less than $4. Let’s call this Red Flag #1, as a legitimately purchased license of Microsoft Office 2016 is still going to cost between $70 and $100. Nevertheless, almost 350 other people had made the same purchase from this seller over the past year, according to eBay, and there appear to be many auctioneers just like this one.

After purchasing the item, the buyer said he received the following explanatory (exclamatory?) email from the seller — “Newhotsale68” from Vietnam:

Hello my friend!
Thank you for your purchase:)

Very important! Office365 is a subscription product and does not require any KEY activation. Account + password = free lifetime use

1. Log in with the original password and the official website will ask you to change your password!

2. Be sure to remember the modified new password. Once you forget your password, you will lose Office365!

3. After you change your password, log on to the official website to start downloading and installing Office365!

Your account information:

* USERMANE : (sent username)
Password Initial: (sent password)
Microsoft Office 365 access link:

Http://portal.office.com/

Sounds legit, right?

This merchant appears to be reselling access to existing Microsoft Office accounts, because in order to use this purchase the buyer must log in to Microsoft’s site using someone else’s username and password! Let’s call this Red Flag #2.

More importantly, the buyer can’t change the email address associated with the license, which means whoever owns that address can likely still assume control over any licenses tied to it. We’ll call this Ginormous Red Flag #3.

“The username that you use to register and activate Office is one that they provide to you in their email when you buy the license on eBay,” wrote the reader who alerted me about this dodgy transaction. “You never use your own email account to register, you have to log in with theirs. Once you’re inside the account you can’t change the username to your email account because the admin locked it down.”

Here’s what the profile looked like when the reader tried to change details tied to the license.

This version of Office prompts the user to sync all data and documents over to a 5TB Microsoft OneDrive account. What could go wrong?

“You can sign out of their Microsoft account to break the connection to the OneDrive account,” the reader said. “By default it had me signed in and I bet most people installing this just click next and stay signed in.”

That’s not all: The account was set up so that the administrator (seller) maintained control over specific apps on the Office installation, including OneNote and Class Notebook.

“I guess maybe the end result of all of this are the old adages, ‘you get what you pay for’ and, ‘if it sounds too good to be true than it probably is,'” the reader said at the conclusion of his email.

Couldn’t have said it better myself.

Tags: , ,

73 comments

  1. Brian, I’ve talked to a lot of IT guys an they all seem to steer me away from purchasing security software like McAfee. I use Windows 10 so I get the security that comes with that subscription and auto-updates. What is your recommendation on the subject?

    • Malwarebytes premium, Windows 10 built in AV/anti-malware. An up to date browser and software and a good chunk of common sense when it comes to clicking on links. Most of all never use an administrator level account for internet/email or day to day use and if in doubt – don’t click that link or open that attachment.

    • There is nothing wrong on McAfee AV, and it is actually a much better choice than Malwarebytes or Windows Defender.
      The main issue is that it may not be as quick as other AVs such as Cylance or EnSilo to get protection against brand new attack methods – think that some AV vendors only need to update one product line, McAfee and other major vendors will need three-four days as they have like +30 products on different OS versions to align. For personal use – when you are not working for a company which may be targeted by APT attacks – it is more than acceptable.
      Lots of security professionals tend to bash mainstream AVs, but there is no substantiated ground to consider them worst than others or not useful – quite the contrary, at least for the average home users. Use in an enterprise is another story.

      • >There is nothing wrong on McAfee AV, and it is actually a much better choice than Malwarebytes or Windows Defender.

        Absolutely false, I haven’t kept up with Malwarebytes in recent years, but Windows Defender is hands down better than the junkware AV solutions such as McAfee and Norton

    • I’ve been using McAfee LiveSafe on corporate machines. They had a great deal where you had unlimited machines on the license, which I don’t know if it is still the case. I’ve also got most personal devices on Avast Premium, as a $60 yearly subscription got me protected on an older iMac, a Windows 10 Enterprise laptop, two Android phones and an Android tablet. Finally I use ClamAV on Linux systems. As I do have malware on certain systems to reverse engineer, I test all three (McAfee, Avast, and ClamAV) on the known malware to insure that it picks it up. I would steer you away from Norton, Kaspersky or Webroot, etc., but just on footprint, the way they hog system resources, or the way they slow down the system. Individual user mileage may vary…

    • Mikey Doesn't Like It

      Doug, as the old saying goes, “don’t put all your eggs in one basket.”

      Your IT person probably was telling you that to rely on AV software alone is foolish. Instead, as others have noted, a blend of security apps, judicious OS settings, regular updates and a boatload of caution and common sense will go a long way toward securing your system(s).

    • McAfee has a history of flagging parts of Windows as a virus and in the process breaking Windows. I say history because they’ve done it a half dozen times (possibly more, the half dozen times are just ones I got called in to fix). Symantec has done it too but far less often, I’ve only heard of it twice.

      When I worked phone tech support McAfee scans would regularly false positive and generated calls that customers refused to accept our answer for, that there was no way an executable-based virus could live in the middle of one of our product’s video files, leading to long uncomfortable calls no matter how many ways we explained it to them.

      Depending on one AV solution in this day and age is silly, you need a blended approach of multiple products. I just would steer clear of McAfee being one of those products if you want to continue to be able to boot Windows with any kind of certainty.

    • I would highly recommend not to use mcAfee or windows antivirus.

      TrendMicro, Hitman Pro Alert, Bitdefender are good brands to use. There’s different features available for each. To know exactly which one is the best, check the antivirus test results online.

      One good place to go to is http://www.av-test.org.

      • pretty sure Hitman Pro comes built into Sophos now as well…

        • Sophos bought out Hitman Pro, but they are still separate products. If you buy Sophos business edition, I’m pretty sure they’ve included hitmanpro’s stuff.

          Hitman pro scans your pc with over 5 different av signature databases I think.

          They also encrypt everything you type in your browser. They have a long list of things you can do with the hitmanpro.alert version.

      • All of those are meh! in my opinion. What you need is something like Cylance Home or another Next Gen AV. All the basic signature based products will not catch advanced malware.

        • I have seen Cylance before, but never in action. I’ve been considering adding them to my list of software items to sell. But haven’t had any time to look up more info yet. Any idea on the difference between Cylance and many of the other AV products? For the most part they are all the same, but some are stronger than others. I may wait till Cylance is listed on the av test website.

    • The problem with AV is that it has to interact with the system at a very low level to be effective. That means it needs to have full system level access to be effective.

      This provides an additional profile for malicious users to attack and increases your attack surface area. Additionally the interaction at that level on windows system is fraught with difficulties such that it is not uncommon for admin-access exploits to go unresolved for six months or more. There is a history of not just McAfee but symantec, Avast and others running into this problem. This leaves systems very vulnerable to full takeovers.

      Combined with the fact that exploits no longer take on the profile of the classic “Virus” it’s very difficult for most of these systems to detect a new exploit. It’s also true that these AV programs have been a major cause of problems for browsers such as Chrome and Firefox from properly sandboxing helping to prevent what is likely the most common attack vector, the internet.

      It’s time to make these AV’s a relic of the past since htye only cause more problems and make your system more vulnerable anymore

    • Can not believe no one has mentioned ESET. Been using it for years and its rock solid with HIPS and integrates well with Win10.

  2. The Sunshine State

    Their has been a lot of talk about this online about grey-ware software. This is in regards to Microsoft Windows licenses being illegal to install because of it’s ultra low prices.

  3. I have never been fond of ebay, never felt comfortable buying anything from there.

  4. The more of your post I read, the more I laughed. It’s like listing someones home on Airbnb while they’re on vacation – what happens when they come back and find you there? Great article.

  5. I think you can buy stuff on eBay as long as you’re not too greedy. Paying less than $4 for Office 365 is a bit greedy. It’s not so expensive that one can’t pay a legitimate price for it, and still not have to pay the full amount. I have purchased, usually for clients, licenses for software there, and there’s never been a complaint. OTOH, I’m not too greedy, so the other person got a good deal, but didn’t have to deal with “too good to be true”.

  6. Well another red flag (And the first thing that caught my eye) is the listing says both Professional Plus and 365. Professional Plus requires a key and is installed like older versions of office that were not 365. 365 is cloud-based. One could report to eBay the product is being mis-advertised on top of likely stolen logins are being sold….

  7. Surely somebody at Microsoft is monitoring these pirate sellers on eBay and flagging the too-good-to-be-true listings. If not, maybe they should be.

    eBay responds promptly when people flag dishonest listings.

    • It is incredibly hard to flag counterfeit software to Microsoft unless you have actually bought it.

      I got an email from amazon.co.uk advertising:
      “Windows 10 Pro Key 32/64 Bits (E-mail)
      by Windows
      Price: £9.95
      Dispatched from and sold by WWIT”

      link: https://www.amazon.co.uk/gp/product/B07FZ2WXL4/

      Could I just forward the email to MS? No – but that is how I report phishing emails to the police / HMRC / banks etc.

      Could I find anything on the MS website to report it? No – only if I had bought a dodgy licence.

      It’s as if MS want such licences to be sold, so they can then persecute the saps who fall for the scam and extract full retail price out of them!

    • I used to sell on ebay. Yea, they have a department that does look at that. Microsoft actually scans ebay daily and gives them a list of sellers that are not in compliance. The thing is, it depends on what’s written on their listing that makes it not compliant. Same thing for Windows. Some of those you are required to ship parts with it. For the longest time there has been compromised keys sold on ebay. One of my experiences was selling 600 trend micro keys, and buying them from a DHgate.com. I didn’t know it wasn’t legit until 3-5 months down the road this buyer came back and said that 400 of the keys weren’t working. I refunded him all the keys not working after I validated with TrendMicro. Then I signed up to become a reseller from one of their distributors and have been selling good keys ever since. I was also able to gain the trust of this buyer, and they continue to purchase from me. Everyone makes a mistake, I’m glad that they continue to purchase from me.

  8. This is clearly a rogue sysadmin selling accounts for an enterprise licensing, once Microsoft learns about that they’ll just terminate the license and all will be over.

    The question is whether Microsoft will notice and if they will care about.

    • The problem is that they are NOT selling anything like a Microsoft license. It seems to me that they are selling a hack that apparently allows the end user to steal from Microsoft. I for one would not expect to be able to use Office this way, and then be able to claim ignorance as the excuse.

      • Its not really a hack, it’s an enterprise account that this individual has either gained access to through his employer or gained access to through more nefarious methods. Enterprise accounts can create accounts for users within their organization, although since its an enterprise account the administrator maintains full control over the user accounts. They can withdraw access to user accounts at any time, and unless something has changed, reassign data living in that account to another user at any time.

        $4 seems kind of light for a per-user license, which is why I suspect the user has either taken control of another account or is creating rogue accounts within his employer’s enterprise account for his personal gain. They’ll have a set number of accounts allocated for the organization but until they max out the licenses nobody without enterprise account access would be the wiser (and even if it hits the max the scumbag could just nuke user accounts to free up licenses for his employer to use).

  9. What about the non-cloud versions? I have bought one that was $39 and another that was only $9.99 ! The activation key works and you don’t have to apply it to a MS Account. If a system admin is selling an enterprise license, wouldn’t it be the same key code (MKS)?
    If MS does see fraud and they deactivate a key, I am out 10 clams and buy a new license key, no?

    • I believe the practice is most simply described as “receiving stolen property.”

    • I’ve been doing that for a decade. I have had exactly 1 license revoked after about a year.

      The comments on Krebs are heavily U.S.-centric, and U.S. citizens are trained to believe that corporate rights should supersede all human rights. “First Sale Doctrine,” as an example, has been effectively nullified in the U.S. in regards to software.

      Anyway, yes, it is perfectly legitimate in some other countries, as in the EU, to resell software licenses. That has been tested in EU court. The conditions that make it legal are:

      1) That the software license is perpetual (like a Windows 10 key),
      2) that it had originally been sold at an economic price (as they are when bundled with any business PC’s), and
      3) that the seller’s copy was made unusable at the time of transfer.

      If those conditions are met, then it’s legitimate and legal. Often PC’s are sold with software that a business does not want, and at least in the EU, that can be resold if the above conditions are met. You can find such licenses on eBay UK. As an example, a market price for a Windows 10 Pro key is about $30. Any legit seller will give you another one should that key not work or quit working. This infuriates Microsoft, but it is what it is.

      I don’t normally go this route with the software of most companies. But I’m older than many of those posting in here, with painful memories about Microsoft, and I think Microsoft deserves a special place in Hell.

      • Regardless of how you may feel about the legality of software ownership, the focus of the article is on the fact that Microsoft user segmentation is key in keeping a user’s data private. Without the ownership segmentation, you don’t get the data segmentation, and that’s a major privacy concern.

        • That’s all true. But I was answering the parent’s question, not the issue of privacy addresses in the article.

      • You did not comprehend what was written in the article and are far to arrogant to listen.

        It is a subscription license to Office 365, which you are supposed to pay yearly, that you do not have ownership of and is most likely coming from a greedy sysadmin from some company. The person is making accounts up on the fly and selling the access to the people. Once the company trues up the licenses with MS, the users will no longer have access.

        Put it this way – there is no perpetual Office 365 license, yet this is being sold as a “pay once, access forever” deal.

        Put your sour attitude aside and realize that the person selling this is doing it illegally.

        • Eighth-grade grammar police is arresting you. TOO, not TO. I’ll let you go with a warning.

        • And you failed reading comprehension, and are too arrogant to know it. I wrote a legitimate and detailed response to the question the parent asked, not the issue you accuse me of addressing. The parent never even mentioned Office 365, which I guess is only sold as a service these days. I hope I helped him to understand the details of when it is legal to resell software licenses.

      • You realize there is no perpetual Office 365 license, right? Someone is greedy at a company and the people paying will probably lose access once the company trues up the licenses.

        Your arrogance is only trumped by your blind hatred for Microsoft and the U.S.

        • He never mentioned Office 365. And your knee-jerk insult about hating the U.S. is incorrect. We’ve got problems, but I am hopeful in the future that we will come to value human life a little more than that of corporations.

      • News flash yoyoman, in the U.S. it is perfectly legal to resell your privately purchased licensed software, considering that the copy is not registered at the time of transfer, it’s perfectly legit.

        • lol looks like I managed to pi** off both the “reselling software is legal” crowd, and the “reselling software is not legal” crowd, at the same time.

  10. Note that there is a big difference between Office and Office 365. Office is a piece of software that you own through time, in the traditional sense. Its least expensive version (Home and Student) is about $150. And note that a legitimate license is likely to be the 2019 version that Microsoft is now distributing. Office 365, at the price Mr Krebs gives, is for 12 months of use only.

    • Tragedy, or comedy if you will, of this scam, for the suckers, is the synced cloud storage on OneDrive. One year and you have lost it and [legit] owner has it to savor.

  11. Brian,
    Love your articles. Thanks so much for all the security tips. Any thoughts on thinkEDU.com? Selling Microsoft Office for Mac at $39.95. Scamadvisor gives the site a high trust rating.

  12. Another red flag “USERMANE”

  13. I will put this in Piracy bucket and there are Dime a dozen on ebay selling:

    .edu email addresses
    Pdf copies of books( their disclaimers are interesting read)
    Office 365 lifetime(this) with a new email
    Fake copies of SD cards
    etc etc

    Risks for us:Assume full disclosure of information, unavailibility due to account closure/defective product, loss of investment due to no warranty support

    Risks for companies: loss of revenue, bad repo

    At the end we and the companies seem to have accepted the risks.Period

    • I am thinking of exactly the same thing: this seems to fall under the Piracy bucket.
      In the ‘old’ days (yep, am old), you can buy pirated disc with a hacked license key to install MS products (Windows, Office, etc). I would have thought that MS’s approach to move these apps into the cloud would regulate these accordingly but… looks like folks have found a way around it; and, it looks like we lose our privacy along with it. 🙁

  14. There are sellers on eBay doing the same thing with games that require accounts for things like Origin or Steam. If you do a search for “Sims 4” on eBay, you’ll find tons of cheap prices, and if you read the fine print you’ll find that every single one of them is selling an account rather than an activation code for the game.

  15. Well that eBay seller is NO more, Krebs killed em. Never buy software on eBay. One of the Negative feedbacks, and one of the Neutrals, tells you what you actually bought. Red Flags all over that, but people are stupid, most of them.

  16. Some of these sellers are getting the accounts by applying/registering at community colleges using fake info. Most community colleges have open enrollment and many provide free access to O365 and/or access to heavily discounted software (e.g. $0 to $10).

  17. Brian, I have to tell you how Office 365 is sold in the Netherlands to (parents of) school children. Spoiler: it costs $4 yearly and is legit.

    As long as you have a child at (primary) school, you can sign up for a website where you can purchase software for reduced prices. Your account will be verified with the school. As soon as you have access, you can order e.g. MS Office for $4. You will be given a generated username (email address) that you cannot change. When you sign in for the first time, you have to change the password. Just like the reader that you based your article on.
    If you lose your password you cannot reset it. You will have to contact the website where you purchased the software.
    And this is all completely legit.
    Yes, in the username you can recognize a part of your own name because the account is created after you have placed your order. But the rest, including pricing, is identical to the eBay story.
    Sites are http://www.surfspot.nl and http://www.schoolspot.nl – the company running these sites also delivers licenses to schools.

  18. “You get what you pay for”

    Well, not necessarily. Many people pay for software that has already been licensed to their organization or has free versions available.

    Windows 10 can be installed directly from Microsoft for free. The only catch is that you can’t change the wallpaper and it has a watermark on it. Or maybe you are a student and can get Windows Server for free from your college. It is better than Windows 10 because it is free from adware and stupid racing games.

    Can’t afford Office365? Well, Libre Office is just as good for most people. Or if you have an old version of MS Office, just use that. Maybe your company has a HUP plan with MS so that Office only costs $10 or $20 to install. Search Microsoft Home Use for details.

    Of course the best option is to switch to Linux. It is better and more secure, but requires some learning to get up and running. Linux Mint includes Libre Office in the standard install. So all you need is in the box. Price: Whatever you want to donate. If there is a Windows program you need, just run it in a virtual machine. Virtualbox is also free.

  19. I’ve got two success stories of saving on Office-365, without a security problem:

    First, I wanted to extend an existing “home version” license I already had.

    I bought a “spare license” for the home version on Ebay. I figured if there was a problem, I’d dispute it and quickly get a refund. I did email back and forth once with the seller, who was a local college student. I applied the licence without a problem, but I couldn’t figure out how to “extend” my existing license, since this said something about BestBuy’s GeekSquad needing to do it. I got online with Microsoft CHAT, and they converted it, extended my existing license, and gave me an extra month for my trouble. NOTE: This is the key–Get Microsoft to vet the license number, with online chat!!
    Net cost? About $25-30 / 14 months, (see below for 14 months vs 12).

    TIP on getting 14 months for the price of 12: when signing up, if you set up autopay (at a renewal price of FULL RETAIL), they give you an extra month. After you get the month, CANCEL autopay for TWO reasons:

    1. You may get a better deal, which you won’t be able to do if you have set up autopay.

    2. Microsoft gives you a 30 day grace period to use it at the end of the renewal, anyway.

    Also, in MOST cases, you are better off with the HOME version, which you can share legally inside the household and use the license for: up to FIVE users, FIVE PCs and FIVE mobile devices, (less than 11″ ?? diagonal for “mobile” use.) Note that this doesn’t mean 25 PCs (5 x 5), nor legally, five of your worldwide 5th cousins, (YMMV).

    My next trick was just getting two home licenses for about $25 ea. complements of the ONLINE Navy EXCHANGE system. Everything else there was not that great of a deal. But last year they had a deep discount. If anyone knows of any other great deals that are legitimate for “home versions”. let us know. I know students, teachers, and military versions can save $$.

  20. The creativity of some of the nefarious never ceases to astound and has to be respected, great article yet another reminder why network owners should not be relying on user devices for security.

  21. I HOPE this is a greedy sysadmin…..the scarier possibility is that someone is reselling the same Office 365 accounts over and over while maintaining their access so that every document you save to OneDrive is now wide open to them.

    Quite the data harvesting scheme.

    • Im thinking more along the lines of Email-as-a-Service advertised to spammers with the odd random signing up and providing personal data as an added bonus. Maybe? Maybe not.

  22. Some things never change.

    OTOH, I’ve never bought or used stolen s/w. But I did hack an early 12k Extended Basic which Microsoft sold to the Altair market. I had bought a copy (on paper tape) for some hundreds of dollars and was ticked off that it didn’t run on a Z80. I spent some time tracing the code, a PITA on an IMSAI and found that they used one byte interrupt instructions to make sure it was running on an 8080 and not a Z80. I made a patch so it would run on a Z80 and, at the request of some fellow hobbiests, published it in Dr Dobbs amongst others. Legal back in those days.

  23. I have seen this even on the norwegian Finn.no. What he did was to create Office 365 developer account where you can create 25 users. Then he sold this as one time pay and told the buyer that it was lifetime subscription. They are not, they are limited to development and also one year Reported both to finn.no and Microsoft.

    He also sold OEM Windows 10 keys dirt cheap, but they may be legit. If you buy any license from Microsoft and might think its too good to be true you can supply MS with the Key and they will tell you all about its origin and if its legit.

  24. I wonder if this is a service being offered to scammers and spammers? Essentially they get a semi-legit looking email address that they can then use as they please, until it stops working. $4 a pop for a temporary email that will be used for nefarious purposes, that sounds about right.

  25. Brian, correct Jan 19. My OCness can’t help it 😉

    “08 Dirt-Cheap, Legit, Windows Software: Pick Two
    Jan 19”

  26. eBay = Thieves Market.

  27. I bought a couple of sub $10 MS licenses from ebay.
    1. “5TB lifetime OneDrive”- exactly what Brian described- access to someone’s enterprise account. I only used to backup my movies and music, making sure that nothing remotely private will get there.
    Stopped working after a couple of months.
    2. Office 2016. The key allowed to download the software from Microsoft. Activated normally. Has been working for about a year.
    3. Windows 10- Same as above.
    I still don’t know if they generate the keys or resell keys destined for cheap markets.

  28. Why would anyone do this? If you are that broke/cheap, why not download something like LibreOffice (which is free)? I use it exclusively on my Windows & Linux machines. For budget-minded individuals and small businesses, it only makes sense. Being a slave to MS Office only applies where you have to collaborate with others in a large-scale, corporate type of setting, and if you are in that kind of setting and can’t afford an annual license fee then you probably are in the wrong profession.

    • Linux of course is an answer; the corporates fund it all through support contracts and home users get a legit free ride.

      There is fear of Linux (it does not come pre-installed) and this seems to be a major issue with non-technical people (i.e. non readers of this column?).

      I wonder if “your local computer shops” can generate business/goodwill by setting up a few laptops with different distros for people to see/try – say a couple of flavours of Mint and the same for Ubuntu. Then they might offer to do migrations for say £50 / $75 for people who do not rely on any windows specific software.

      Anyone know how to easily take a pre-installed Windows and re-package it to run in Virtual Box on Linux after such a migration?

  29. thanks for posting this really informative blog post with us.