Connect with us

Hi, what are you looking for?



Advanced “16Shop” Phishing Kit Expands Offerings

16Shop Phishing Kit

One of the most advanced phishing kits, known as 16Shop and probably developed by a group known as the Indonesian Cyber Army, has expanded its phish targets from Apple account holders and Amazon to now include PayPal.

16Shop Phishing Kit

One of the most advanced phishing kits, known as 16Shop and probably developed by a group known as the Indonesian Cyber Army, has expanded its phish targets from Apple account holders and Amazon to now include PayPal.

The discovery was disclosed by ZeroFOX researchers today. “In early January 2020,” they say, “ZeroFOX Alpha Team obtained a phishing kit from 16Shop that now targets PayPal customers, indicating they are actively adding brands to their phishing kit portfolio.”

16Shop offers its phishing kit as a malware-as-a-service (MaaS) product. It includes several features designed to make it more resilient against defenders, and easier to use by wannabe hackers. For example, it includes three distinct anti-bot and anti-indexing features to help it hide from security vendors’ automated crawlers and web indexers. The first is just a blacklist. The second is use of the open-source anti-crawling library known as CrawlerDetect. The third, used by the latest versions, also employs an integration with

This integration will send a phishing site visitor’s User Agent to antibot to see if it is a ‘bot or not’. “Antibot also offers services for link shortening, link clickthrough and tracking, as well as Bank Identification Number (BIN) checking,” say the researchers. The longer a phish site remains undetected by security vendors and law enforcement, the greater the profit to the operator.

Each of the phishing target options is ‘sold’ separately, allowing the authors to ‘sell up’ the extra targets to existing customers. Each sale is also limited to the amount of deployments allowed to each customer. This is controlled by 16Shop’s own DRM system. As soon as a kit is deployed, it reaches to a DRM C&C server for authorization. If the full quota of purchased deployments has been reached, 16Shop will not operate unless further deployments are purchased.

Like any legitimate software-as-a-service product, the user interface and user experience are essential. 16Shop’s dashboard is clear and easy to understand, and updates in real time. It provides statistics including details on the number of clicks recorded, the number of email or bank login credentials collected, the number of credit cards gathered, and the number of bots detected. If more than one kit has been purchased, the details are merged into a single dashboard for a one-pane-of-glass overview of overall progress.

“The goal of phishing kits,” comment the researchers, “is to make this experience seamless, so not-so-technical kit operators can deploy phishing pages without needing to understand the underlying protocols behind managing this infrastructure.” 16Shop puts a lot of effort into ensuring this happens.

Advertisement. Scroll to continue reading.

The phishing kit attempts to collect as much personal information as possible, including country specific PII. The newer PayPal offering supports fewer languages than the Apple and Amazon kits — suggesting, say the researchers, that this is still a work in progress.

16Shop demonstrates the growing professionalism behind cybercrime — it is run on proven business principles. Software-as-a-service generates repeat business and a higher ROI; the customer experience is maximized while the product is protected against pirating; and the product portfolio is expanded.

Related: Meet Phoenix Keylogger, a New Malware-as-a-Service Product

Related: Raccoon Malware-as-a-Service Gains Momentum 

Related: Securing the 2020 Elections From Multifarious Threats 

Related: The Growing Threat of Deepfake Videos 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Reddit says its systems were hacked following a sophisticated phishing attack aimed at employees.