Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Phishing

Advanced “16Shop” Phishing Kit Expands Offerings

16Shop Phishing Kit

One of the most advanced phishing kits, known as 16Shop and probably developed by a group known as the Indonesian Cyber Army, has expanded its phish targets from Apple account holders and Amazon to now include PayPal.

16Shop Phishing Kit

One of the most advanced phishing kits, known as 16Shop and probably developed by a group known as the Indonesian Cyber Army, has expanded its phish targets from Apple account holders and Amazon to now include PayPal.

The discovery was disclosed by ZeroFOX researchers today. “In early January 2020,” they say, “ZeroFOX Alpha Team obtained a phishing kit from 16Shop that now targets PayPal customers, indicating they are actively adding brands to their phishing kit portfolio.”

16Shop offers its phishing kit as a malware-as-a-service (MaaS) product. It includes several features designed to make it more resilient against defenders, and easier to use by wannabe hackers. For example, it includes three distinct anti-bot and anti-indexing features to help it hide from security vendors’ automated crawlers and web indexers. The first is just a blacklist. The second is use of the open-source anti-crawling library known as CrawlerDetect. The third, used by the latest versions, also employs an integration with antibot.pw.

This integration will send a phishing site visitor’s User Agent to antibot to see if it is a ‘bot or not’. “Antibot also offers services for link shortening, link clickthrough and tracking, as well as Bank Identification Number (BIN) checking,” say the researchers. The longer a phish site remains undetected by security vendors and law enforcement, the greater the profit to the operator.

Each of the phishing target options is ‘sold’ separately, allowing the authors to ‘sell up’ the extra targets to existing customers. Each sale is also limited to the amount of deployments allowed to each customer. This is controlled by 16Shop’s own DRM system. As soon as a kit is deployed, it reaches to a DRM C&C server for authorization. If the full quota of purchased deployments has been reached, 16Shop will not operate unless further deployments are purchased.

Like any legitimate software-as-a-service product, the user interface and user experience are essential. 16Shop’s dashboard is clear and easy to understand, and updates in real time. It provides statistics including details on the number of clicks recorded, the number of email or bank login credentials collected, the number of credit cards gathered, and the number of bots detected. If more than one kit has been purchased, the details are merged into a single dashboard for a one-pane-of-glass overview of overall progress.

“The goal of phishing kits,” comment the researchers, “is to make this experience seamless, so not-so-technical kit operators can deploy phishing pages without needing to understand the underlying protocols behind managing this infrastructure.” 16Shop puts a lot of effort into ensuring this happens.

The phishing kit attempts to collect as much personal information as possible, including country specific PII. The newer PayPal offering supports fewer languages than the Apple and Amazon kits — suggesting, say the researchers, that this is still a work in progress.

Advertisement. Scroll to continue reading.

16Shop demonstrates the growing professionalism behind cybercrime — it is run on proven business principles. Software-as-a-service generates repeat business and a higher ROI; the customer experience is maximized while the product is protected against pirating; and the product portfolio is expanded.

Related: Meet Phoenix Keylogger, a New Malware-as-a-Service Product

Related: Raccoon Malware-as-a-Service Gains Momentum 

Related: Securing the 2020 Elections From Multifarious Threats 

Related: The Growing Threat of Deepfake Videos 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

SplxAI, a startup focused on securing AI agents, has announced new CISO Sandy Dunn.

Phillip Miller is joining tax preparation giant H&R Block as VP and CISO.

Linx Security has appointed Sarit Reiner Frumkes as Chief Technology Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.