In early January 2020, ZeroFOX’s research team, Alpha, discovered a phishing kit targeted towards PayPal customers, which had signatures of 16Shop written all over its code. Active since 2018, 16Shop is a Malware-as-a-Service (MaaS) phishing kit that is developed by a hacking group called the Indonesian Cyber Army. After targeting Apple and Amazon customers in 2019, the hacking group has now modified the kit to target PayPal and certain American Express customers as well.
On further analysis, researchers found that the latest versions of 16Shop phishing kit contained three anti-bot and anti-indexing features that worked as an anti-detection mechanism. The first is a simple blacklist file blacklist.dat. The second mechanism uses an open-source anti-crawling library called CrawlerDetect. Finally, the third one employs an integration with antibot.pw.
Depending on the target company (like Apple, Amazon, PayPal, American Express) 16Shop provides attackers options to choose from. Every phishing kit is target specific and different from the other. Each kit comes with a deployment quota for every customer. It is controlled from the 16Shop’s Digital Rights Management (DRM) system. On reaching the optimum number of deployments, 16Shop shuts shop. It operates only when the attacker (operator) pays for additional deployments.
16Shop also has a very user-friendly, intuitive and real-time updating dashboard that allows the user to see the login credentials, email addresses, credit card details, bots or clicks, collected by the phishing kit deployments. The research also noted that stolen information is exfiltrated via an SMTP to an attacker-controlled email inbox. 16Shop phishing kits extract as much data possible inclusive of country-specific PII data.
Earlier, McAfee had discovered the first version of 16Shop phishing kit in July 2019 targeted at Amazon just before its Prime Day sale. The victims received an email with a pdf file attachment that looked like an original email alert from Apple, Amazon, or any other tech company. Once the user clicked on the link in the attached pdf file, they were redirected to a fake site where user was asked to enter sensitive information like bank account number, debit, and credit card details which were further used for financial frauds.