Black Friday Scams – Researchers Warn Of Cryptocurrency-Stealing PS5, Xbox, and Amazon Schemes

by | November 20, 2021 | Cybersecurity News

Phishing season has officially begun. Fortinet researchers reported that they discovered a series of Black Friday scams in which threat actors marketed a file called “Amazon Gift Tool.exe” as a free Amazon gift card generator to steal cryptocurrency. Cybercrooks do know we love freebies.

Black Friday Scams Luring Victims In With Freebies

Fortinet security experts spotted a new scam using a fake free Amazon gift card generator as bait to steal cryptocurrency from victims.

Researchers said that they found a file called “Amazon Gift Tool.exe” that was being advertised and marketed on a publicly available file repository as a free Amazon gift card generator.

If you download and open the malicious file, a poisoned winlogin.exe is dropped and executed.

“The purpose of the malware is simple. If the victim tries to add money to their anon-bitcoin wallet by copying and pasting the wallet address, the malware overwrites the victim’s wallet address on the clipboard with its own, resulting in the money potentially going to the attacker,” researchers wrote

Hunting For Cryptocurrency

According to Fortinet’s FortiGuard Labs, the malware monitors the victim’s clipboard in search of text that is 54 characters long, which is the length of a wallet address. It also watches for other criteria that may indicate the text is related to cryptocurrency:

  • Clipboard text is 54 characters long (which is the length of a wallet address preceded by the string “bitcoincash:”)
  • Clipboard text is not “bitcoincash:<attacker’s wallet>”because replacing the wallet address would no longer be necessary  
  • Clipboard text contains “bitcoincash:” to make sure the user is currently involved in trying to transfer Bitcoin Cash

If all criteria are met, the malware replaces the clipboard information with the attacker’s Bitcoin Cash Wallet address.

Black Friday scams stealing clipboard text and checking for any information related to cryptocurrency.
 Code to check clipboard text. Credit: Fortinet

Wolves In Sheep’s Clothing

“We also found that the malicious winlogin.exe was distributed by a number of droppers with enticing names, such as Crunchyroll Breaker.exe, Netflix Tools.exe, Multi Gift Tools.exe, etc,” FortiGuard Labs explained. 

“Free generators of this sort have been around and scammed people for years. But given the market power of Amazon, this new scam is especially enticing. Consumers are eager to shop as much as they can on Black Friday as a lot of goods go on sale. Free Amazon gift cards are very attractive to those who want to spend less for the holiday season. However, be careful with what you wish for and don’t fall a victim to scams like this one.”

According to Mankey, cryptowallet addresses are rather large. While users may write their wallet in a physical location, they likely have it stored digitally – either in a cold storage wallet or on their workstation.

“That digital cryptowallet addresses is typically accessed when doing transactions to send/receive money during the transaction itself on the client machine. In this instance, the attacker is hoping to replace the victim’s wallet with theirs to divert the funds. Keep in mind there usually is MFA with these transactions, but that’s done by the client to approve. They may not notice the wallet address they pasted was actually not their own,” Manky explained. 

“This attack attempt has been specifically designed to hijack cryptowallet addresses/transactions similar to payment diversion fraud. And specifically Bitcoin Cash.”

Fortinet researchers also discovered another scam related to gaming consoles, trying to lure those interested in purchasing PlayStation 5 and Xbox Series X and S systems.

FortiGuard Labs also found a series of ill-intended PDF files titled “how_much_do_xbox_one_cost_on_black_Friday.pdf” and “Walmart_black_Friday_ps5_pickup.pdf.”

Upon clicking the link, the victims are redirected to credential-stealing sites.


ZDNet Fortinet warns of Black Friday scams involving PS5s, Xboxes and fake Amazon gift card generators that steal crypto

Fortinet Black Friday Scams are Coming—Online Shoppers Should Approach with Caution


Feature Image: Photo by Christian Wiediger on Unsplash

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.