16Shop Phishing Gang Goes After PayPal Users

A sophisticated malware-as-a-service phishing kit includes full customer service and anti-detection technologies.

A prolific phishing gang known as 16Shop has added PayPal customers to its target set.

According to researchers at the ZeroFOX Alpha Team, the latest version of the group’s phishing kit is designed with a number of features that are aimed to steal as much personally identifiable information (PII) as possible from users of the popular money-transfer service, including login credentials, geolocation, email address, credit-card information, phone number and more.

In investigating the kit’s infrastructure, researchers uncovered that to establish contact, the kit sends a POST request to a command-and-control (C2) server, with a password, domain and path as a form of operational security. Stolen information is subsequently exfiltrated via SMTP to an attacker-controlled email inbox. It can be used to create phishing pages in English, Japanese, Spanish, German and Thai.

Threatpost Webinar Promo Mobile App Security

The researchers were able to intercept traffic between the kit and the C2 server, and gain access to the server panel that 16Shop rents to users. They found that it’s so user-friendly that users could use it to deploy phishing pages without needing to understand any of the underlying protocols or technology.

“Much like a SaaS [software-as-a-service] product, user experience and dashboard analytics are keys to success,” ZeroFOX said in a posting on the new kit, on Tuesday. “The 16Shop kit panel is professionally done, with reactive elements and data updating in real time. Whether its login credentials collected, emails collected, credit cards, bots or clicks, kit operators are able to see the success of their operation in a quick and efficient manner.”

The analysis also showed that 16Shop is using three different anti-bot and anti-indexing features. The idea is to block automated crawlers used by security vendors, as well as web indexers, to limit exposure of the kit.

“The first [detection-evasion feature is] a simple blacklist file under security, with a file named blacklist.dat,” explained the researchers. “Secondly, they use an open-source anti-crawling library called CrawlerDetect. The latest versions also employ an integration with antibot.pw.”

Antibot has an API endpoint where 16Shop operators can load an API key into the kit, and the kit will send the visitor’s User-Agent out to antibot to see if a visitor is a “bot or not.” Antibot also offers services for link shortening, link clickthrough and tracking, as well as Bank Identification Number (BIN) checking.

“The authors also make an honest attempt to block as much security scanning and indexing engines as possible, as the quicker these automated tools uncover phishing websites, the faster they get taken down,” ZeroFOX noted.

As noted, 16Shop is distributed in a malware-as-a-service model, with operators likely located in Southeast Asia.

“16Shop has been publicly attributed to a group called Indonesian Cyber Army, and specifically, one of the authors, DevilScreaM, has his moniker plastered over the kit code and distribution network,” said the researchers.

ZeroFOX said that a rental comes with detailed installation and tear down instructions, and some of the versions have customer service options, including live support channels, social media pages and email addresses. Free updates and access to upsell portals round out the package.

“For example, a kit author could purchase only an Amazon kit, and then see a new PayPal kit [in the portal] with great antibot features, so it incurs a ‘fear of missing out’ and causes the operator to purchase the new package,” the researchers said. They added, “16Shop employs digital rights management (DRM), limiting the number of deploys per kit unless you buy more.”

The kit initially targeted Apple users, but then moved on to Amazon last year, according to the writeup. ZeroFOX also saw evidence that 16Shop is working on adding American Express to its kit as well.

“These kit authors use product features and marketing tactics from SaaS products to advertise, sell, deploy, maintain and update their products,” concluded ZeroFOX.

Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.

Suggested articles