The 16Shop phishing kit distribution network has expanded its portfolio with new templates that target PayPal and American Express users.

Analyzing variants of this product in November 2018 and May 2019, malware researchers determined that it focused on Apple and Amazon brands, providing fake login pages for these two brands.

New kits on product page

16Shop is a sophisticated, commercial product that validates licenses in real-time and comes with code-level protection against making copies. It can block automated crawlers from security vendors and web indexers to prolong the life of the phishing page.

In early January, security researchers from ZeroFox obtained a PayPal phishing kit from 16Shop and learned that a template for American Express also exists.

There are no published details about the Amex scam page at the moment, but a screenshot from 16Shop’s panel shows that the release is in an earlier stage than the other options.

The researchers noticed that the PayPal kit is localized for English, Japanese, Spanish, German, and Thai users. This is much less than the more developed Apple template, which has support for 10 languages, or the kit for Amazon.

Among the data it steals are login credentials, payment card details (owner’s name, expiration date, bank name, number, security code), and billing address with personally identifiable details.

16Shop’s phishing page for PayPal also collects information about the victim’s IP address, ISP, browser, and geography.

According to ZeroFox, 16Shop’s latest versions for Amazon, Apple, and PayPal kits use three mechanisms to defend against bots and indexing activity: blacklisting, the open-source CrawlerDetect library, and integration with the antibot service.

Easy management

After intercepting the traffic between the PayPal phishing template and 16Shop’s command and control (C2) server, ZeroFox was able to access the kit’s management panel.

The dashboard is a clear sign that professionals are behind it. Featuring reactive elements, real-time data updates, statistics about clicks, the information collected as well as bot detection, the panel offers a seamless experience “so not-so-technical kit operators can deploy phishing pages without needing to understand the underlying protocols behind managing this infrastructure.”

The skills of the group developing 16Shop are also visible from the built-in protections, against bots and software pirates. However, someone figured out a way to crack 16Shop and distributed a backdoored version in late 2018.

The information contained in this website is for general information purposes only. The information is gathered from ΒLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.