Each new iteration of Microsoft software also marks a new chapter in the ongoing cat-and-mouse game between software counterfeiters and Microsoft's own enforcement team.
Like paper currency, Microsoft employs a variety of techniques to assure customers that the software discs they're buying are valid. And rings of cybercriminals, in turn, make every attempt to defeat those safeguards.
"All of our most popular products are counterfeited," said Zoe Krumm, a senior business intelligence analyst with Microsoft. "Windows 7 was counterfeited within a month or so of us launching, with a very deceptive passoff."
In 2007, Microsoft and the FBI, in conjunction with Chinese local law enforcement, tracked down and raided a piracy organization suspected of producing $2 billion worth of counterfeit software. Microsoft recently revealed one of the techniques used by the company to prove that piracy: "fingerprints" left by CD duplicators. In an interview late last week, Microsoft offered even more details on this technique, plus others, that its team of investigators uses.
Microsoft maintains a 75-person staff of antipiracy investigators, consisting of paralegals, forensic intelligence analysts, investigators, and other staff, many with backgrounds in law enforcement, according to Bonnie MacNaughton, a senior attorney in Microsoft's antipiracy enforcement efforts and a federal prosecutor for 14 years before that. Senior business intelligence analysts are placed in all geographic regions. In Seattle, for example, Microsoft has hired former members of the Seattle police department, and the lead investigator in Europe previously worked for Interpol.
It's worth noting that there are two types of pirates: consumers who knowingly purchase pirated software in the hopes of avoiding the paying of licensing fees or premiums, and those that think they're buying the genuine article, perhaps at a discount. In both cases, users can be notified that their software is fake via its Genuine Advantage program, which was extended to a total of 41 countries in 2009. Chinese case, as well as one that Microsoft participated in India in Dec. 2009, were designed to deceive consumers. All told, Microsoft has received almost 30,000 reports concerning vendors that have victimized customers.
And those consumers can be Microsoft's best ally. In 2009, customers provided just under 80,000 leads to suspected pirates, for a historical total of about 280,000; 65 percent provided comments, and a significant percentage are willing to work with the company. "We didn't work as closely with our customers as we have begun to do today," MacNaughton said about early anti-counterfeit operations.
Microsoft also works closely with agencies such as the Business Software Alliance, which in a 2008 study with IDC estimated that approximately $53 billion is lost to piracy each year. Another 2008 IDC study claimed that a 10 percent drop in piracy would add 600,000 jobs to the world economy. Other studies have tied pirated software to the rise of botnets in a given region.
"They're not pie-in-the-sky estimates, but reasonable estimates of the extent of losses," MacNaughton said.
The most obvious deterrent is the product key, part of the certificate of authenticity (COA) that Microsoft provides with every disc. If the key doesn't work, customers start asking questions. (Microsoft provides a telephone hotline, (800) RU-LEGIT (785-3448), for that purpose. Other examples of counterfeit software can be seen at Microsoft's anti-piracy Web site.)
That hasn't stopped snatch-and-grab operations, such as a recent case in a border town in Mexico, where a truckload of COAs was hijacked. Both the driver and the security guard stopped for fuel, when robbers pulled up, held the two men at gunpoint, and made off with the documents. But when the theft was reported, Microsoft tracked down the COA keys and simply "turned them off," assigning them to a list of banned keys.
And don't think that paying the correct price is a sign of authenticity, either.
"We don't really use pricing as a red flag because we have seen syndicates price just at or under cost," Krumm said, perhaps to recoup the cost of their criminal R&D.
So how does a global organization like Microsoft, tracking criminals in more than 150 countries, actually make its cases?
Tools of the trade
One of the means of tracking physical discs is to actually examine the minute defects a CD-ROM stamper creates as it presses the discs. These pits, grooves, or other defects can be scanned and placed into a database, to help track the spread of physical discs across the globe, Krumm said. (See the accompanying slideshow for more.)
Each unique disc stamp is called a "strain"; Microsoft has tracked over 580,000 throughout the world. When a disc's "fingerprints" are matched to a database that Microsoft maintains, the disc's origin can be linked to a particular facility, which could be tied to a piracy operation. Tracking the discs allows Microsoft and investigators to build "intelligent maps" of a piracy operation and its distribution methods.
"We can understand the life of a stamper," Krumm said. "We know how long they last, and when the end-of-life begins at a stamper facility."
Microsoft has also begun building out an "action mapping tool," which it will provide to local law enforcement. Layers on top of Bing maps of a given area, such as Southern California, can track cease-and-desist letters, civil and criminal suits and seizures, and other metrics to provide visual clues of piracy hotspots.
Microsoft also embeds security features into its discs and packaging to foil pirates, who can spend a great deal of time to try and foil them.
Microsoft's chief weapon is embedding hard-to-copy security features directly into the disc itself, such as an embedded hologram of the Windows logo. Pirates, however, typically affix a hologram sticker to the front of the disc, and replicate the design of the Windows or Office disc with a sophisticated – but removable – peel-off label. Microsoft also designs the holograms so that they shift and move when the disc is rotated, Krumm said.
A second security feature is the use of an actual embedded thread, which is added to the "genuine" paper Microsoft uses to print its COAs at the point of manufacturing, Krumm said. The thread is used to distinguish the real article. Pirates typically simulate the thread, printing it instead of embedding them.
Counterfeiters fight back
In some cases, however, pirates have been willing to go almost as far as Microsoft has to establish authenticity. In 2007, a major syndicate headquartered in southern China was accused of distributing $2 billion of Microsoft software, including fake versions of thirteen Microsoft products, including Windows Vista, Microsoft Office, and Windows XP, in at least eight languages. Software worth $500 million was actually recovered. The six-year investigation, including evidence gathered from 1,000 customers and partners, culminated in the 11 ringleaders receiving prison sentences.
"They were responsible for the most convincing simulation we've seen," Krumm said.
The pirates printed five separate layers of labels onto the discs itself, trying to duplicate the shifting holograms that Microsoft had added, Krumm said. Actual thread was woven into the COAs, in an attempt to duplicate the real article. Using the CD stamper tool Microsoft developed, Chinese authorities tracked down the manufacturing operation. When they did so, Microsoft discovered a shocking fact: the counterfeiters had a larger manufacturing operation than Microsoft's own in the Europe, Middle East, and Asia (EMEA) region.
"We found enough thread on site to make over a million COAs," Krumm said.
In December 2009, the largest counterfeiting operation in India was cracked, with $2 million of counterfeit software recovered at the scene, MacNaughton said. Microsoft estimated that the counterfeiter controlled more than 56 percent of India's OEM software market.
"Sometimes, what happens is that [counterfeit or stolen] product keys don't work; a lot of times they don't work," Krumm said. "The reseller understood that problem, and wanted to create COAs with actual keys."
The reseller purchased counterfeit COAs from China, then obtained the keys via fraud, and added them to his own counterfeits. The technique was so successful that investigators were fooled until the fraudulent keys were tied to the fake COAs.
Meanwhile, Microsoft has also making available its software for download, and "where legal businesses go," criminals will follow," MacNaughton said. In 2009, Hong Lei, the creator of the downloadable "Tomato Garden Windows XP" software, was jailed for three and a half years. Millions of Internet users had free access to the software on a website, tomatolei.com, after Lei stripped protections from the Microsoft software.
Microsoft has seen upticks in counterfeit code hacks to bypass security measures, and cyber criminals have begun publishing sophisticated and authentic Web sites posing as legitimate resellers, and seeking to lure buyers into divulging credit-card information, Krumm said.
"We've really increased the skill set on that [online piracy] team," Krumm said. "And we spend even more time expecting it not that cloud services are such a critical component of Microsoft's strategy."
Krumm said she expects that criminals will eventually create "dark clouds," replicating the legal Web-based cloud services that Microsoft and other companies will provide.
"At the highest level, counterfeiters keep raising the bar because they have to," MacNaughton said. "In 2001, it honestly wasn't that difficult to counterfeit a decent passoff of our products. As time has passed, however, it has narrowed the number of people and the organizations' ability to counterfeit these products."
