Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Phishing

Advanced “16Shop” Phishing Kit Expands Offerings

16Shop Phishing Kit

One of the most advanced phishing kits, known as 16Shop and probably developed by a group known as the Indonesian Cyber Army, has expanded its phish targets from Apple account holders and Amazon to now include PayPal.

16Shop Phishing Kit

One of the most advanced phishing kits, known as 16Shop and probably developed by a group known as the Indonesian Cyber Army, has expanded its phish targets from Apple account holders and Amazon to now include PayPal.

The discovery was disclosed by ZeroFOX researchers today. “In early January 2020,” they say, “ZeroFOX Alpha Team obtained a phishing kit from 16Shop that now targets PayPal customers, indicating they are actively adding brands to their phishing kit portfolio.”

16Shop offers its phishing kit as a malware-as-a-service (MaaS) product. It includes several features designed to make it more resilient against defenders, and easier to use by wannabe hackers. For example, it includes three distinct anti-bot and anti-indexing features to help it hide from security vendors’ automated crawlers and web indexers. The first is just a blacklist. The second is use of the open-source anti-crawling library known as CrawlerDetect. The third, used by the latest versions, also employs an integration with antibot.pw.

This integration will send a phishing site visitor’s User Agent to antibot to see if it is a ‘bot or not’. “Antibot also offers services for link shortening, link clickthrough and tracking, as well as Bank Identification Number (BIN) checking,” say the researchers. The longer a phish site remains undetected by security vendors and law enforcement, the greater the profit to the operator.

Each of the phishing target options is ‘sold’ separately, allowing the authors to ‘sell up’ the extra targets to existing customers. Each sale is also limited to the amount of deployments allowed to each customer. This is controlled by 16Shop’s own DRM system. As soon as a kit is deployed, it reaches to a DRM C&C server for authorization. If the full quota of purchased deployments has been reached, 16Shop will not operate unless further deployments are purchased.

Like any legitimate software-as-a-service product, the user interface and user experience are essential. 16Shop’s dashboard is clear and easy to understand, and updates in real time. It provides statistics including details on the number of clicks recorded, the number of email or bank login credentials collected, the number of credit cards gathered, and the number of bots detected. If more than one kit has been purchased, the details are merged into a single dashboard for a one-pane-of-glass overview of overall progress.

Advertisement. Scroll to continue reading.

“The goal of phishing kits,” comment the researchers, “is to make this experience seamless, so not-so-technical kit operators can deploy phishing pages without needing to understand the underlying protocols behind managing this infrastructure.” 16Shop puts a lot of effort into ensuring this happens.

The phishing kit attempts to collect as much personal information as possible, including country specific PII. The newer PayPal offering supports fewer languages than the Apple and Amazon kits — suggesting, say the researchers, that this is still a work in progress.

16Shop demonstrates the growing professionalism behind cybercrime — it is run on proven business principles. Software-as-a-service generates repeat business and a higher ROI; the customer experience is maximized while the product is protected against pirating; and the product portfolio is expanded.

Related: Meet Phoenix Keylogger, a New Malware-as-a-Service Product

Related: Raccoon Malware-as-a-Service Gains Momentum 

Related: Securing the 2020 Elections From Multifarious Threats 

Related: The Growing Threat of Deepfake Videos 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.