Phishing season has officially begun. Fortinet researchers reported that they discovered a series of Black Friday scams in which threat actors marketed a file called “Amazon Gift Tool.exe” as a free Amazon gift card generator to steal cryptocurrency. Cybercrooks do know we love freebies.
Black Friday Scams Luring Victims In With Freebies
Fortinet security experts spotted a new scam using a fake free Amazon gift card generator as bait to steal cryptocurrency from victims.
Researchers said that they found a file called “Amazon Gift Tool.exe” that was being advertised and marketed on a publicly available file repository as a free Amazon gift card generator.
If you download and open the malicious file, a poisoned winlogin.exe is dropped and executed.
“The purpose of the malware is simple. If the victim tries to add money to their anon-bitcoin wallet by copying and pasting the wallet address, the malware overwrites the victim’s wallet address on the clipboard with its own, resulting in the money potentially going to the attacker,” researchers wrote.
Hunting For Cryptocurrency
According to Fortinet’s FortiGuard Labs, the malware monitors the victim’s clipboard in search of text that is 54 characters long, which is the length of a wallet address. It also watches for other criteria that may indicate the text is related to cryptocurrency:
- Clipboard text is 54 characters long (which is the length of a wallet address preceded by the string “bitcoincash:”)
- Clipboard text is not “bitcoincash:<attacker’s wallet>”because replacing the wallet address would no longer be necessary
- Clipboard text contains “bitcoincash:” to make sure the user is currently involved in trying to transfer Bitcoin Cash
If all criteria are met, the malware replaces the clipboard information with the attacker’s Bitcoin Cash Wallet address.
Wolves In Sheep’s Clothing
“We also found that the malicious winlogin.exe was distributed by a number of droppers with enticing names, such as Crunchyroll Breaker.exe, Netflix Tools.exe, Multi Gift Tools.exe, etc,” FortiGuard Labs explained.
“Free generators of this sort have been around and scammed people for years. But given the market power of Amazon, this new scam is especially enticing. Consumers are eager to shop as much as they can on Black Friday as a lot of goods go on sale. Free Amazon gift cards are very attractive to those who want to spend less for the holiday season. However, be careful with what you wish for and don’t fall a victim to scams like this one.”
According to Mankey, cryptowallet addresses are rather large. While users may write their wallet in a physical location, they likely have it stored digitally – either in a cold storage wallet or on their workstation.
“That digital cryptowallet addresses is typically accessed when doing transactions to send/receive money during the transaction itself on the client machine. In this instance, the attacker is hoping to replace the victim’s wallet with theirs to divert the funds. Keep in mind there usually is MFA with these transactions, but that’s done by the client to approve. They may not notice the wallet address they pasted was actually not their own,” Manky explained.
“This attack attempt has been specifically designed to hijack cryptowallet addresses/transactions similar to payment diversion fraud. And specifically Bitcoin Cash.”
Fortinet researchers also discovered another scam related to gaming consoles, trying to lure those interested in purchasing PlayStation 5 and Xbox Series X and S systems.
FortiGuard Labs also found a series of ill-intended PDF files titled “how_much_do_xbox_one_cost_on_black_Friday.pdf” and “Walmart_black_Friday_ps5_pickup.pdf.”
Upon clicking the link, the victims are redirected to credential-stealing sites.