Security Experts:

Advanced "16Shop" Phishing Kit Expands Offerings

16Shop Phishing Kit

One of the most advanced phishing kits, known as 16Shop and probably developed by a group known as the Indonesian Cyber Army, has expanded its phish targets from Apple account holders and Amazon to now include PayPal.

The discovery was disclosed by ZeroFOX researchers today. "In early January 2020," they say, "ZeroFOX Alpha Team obtained a phishing kit from 16Shop that now targets PayPal customers, indicating they are actively adding brands to their phishing kit portfolio."

16Shop offers its phishing kit as a malware-as-a-service (MaaS) product. It includes several features designed to make it more resilient against defenders, and easier to use by wannabe hackers. For example, it includes three distinct anti-bot and anti-indexing features to help it hide from security vendors' automated crawlers and web indexers. The first is just a blacklist. The second is use of the open-source anti-crawling library known as CrawlerDetect. The third, used by the latest versions, also employs an integration with

This integration will send a phishing site visitor's User Agent to antibot to see if it is a 'bot or not'. "Antibot also offers services for link shortening, link clickthrough and tracking, as well as Bank Identification Number (BIN) checking," say the researchers. The longer a phish site remains undetected by security vendors and law enforcement, the greater the profit to the operator.

Each of the phishing target options is 'sold' separately, allowing the authors to 'sell up' the extra targets to existing customers. Each sale is also limited to the amount of deployments allowed to each customer. This is controlled by 16Shop's own DRM system. As soon as a kit is deployed, it reaches to a DRM C&C server for authorization. If the full quota of purchased deployments has been reached, 16Shop will not operate unless further deployments are purchased.

Like any legitimate software-as-a-service product, the user interface and user experience are essential. 16Shop's dashboard is clear and easy to understand, and updates in real time. It provides statistics including details on the number of clicks recorded, the number of email or bank login credentials collected, the number of credit cards gathered, and the number of bots detected. If more than one kit has been purchased, the details are merged into a single dashboard for a one-pane-of-glass overview of overall progress.

"The goal of phishing kits," comment the researchers, "is to make this experience seamless, so not-so-technical kit operators can deploy phishing pages without needing to understand the underlying protocols behind managing this infrastructure." 16Shop puts a lot of effort into ensuring this happens.

The phishing kit attempts to collect as much personal information as possible, including country specific PII. The newer PayPal offering supports fewer languages than the Apple and Amazon kits -- suggesting, say the researchers, that this is still a work in progress.

16Shop demonstrates the growing professionalism behind cybercrime -- it is run on proven business principles. Software-as-a-service generates repeat business and a higher ROI; the customer experience is maximized while the product is protected against pirating; and the product portfolio is expanded.

Related: Meet Phoenix Keylogger, a New Malware-as-a-Service Product

Related: Raccoon Malware-as-a-Service Gains Momentum 

Related: Securing the 2020 Elections From Multifarious Threats 

Related: The Growing Threat of Deepfake Videos 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.