Digital attackers are now abusing the 16Shop phishing kit to target Amazon users for the purpose of stealing access to their accounts. At around the same time of its analysis, the security firm noticed that those actors to whom it previously attributed the creation of this phishing kit had changed their social media profile picture to a modified Amazon logo. These two developments led researchers to conclude that those behind this phishing kit had decided to create a new version and go after Amazon users.

This new variant of the kit uses attack emails to trick users into visiting a fake Amazon website. There, users receive prompts to update their accounts by resubmitting a variety of information, including their payment card details. Threat actors have targeted Amazon users with phishing scams even before the above campaign. Infor instance, ThreatPost reported on a spear phishing campaign that leveraged malicious macros concealed in Microsoft Word documents to infect Amazon customers with Locky ransomware.

One of the best ways to defend your organization against phishing attacks motivated by 16Shop and other tools is by using ahead-of-threat detection to spot potentially malicious domains before they become active. Information security personnel should also help their organizations conduct test phishing engagements with their entire workforce so that all employees can learn how to spot, and not fall for, a phish.

Security Intelligence. Amazon-Related Phishing Campaigns Threat actors have targeted Amazon users with phishing scams even before the above campaign. How to Defend Against 16Shop Attacks One of the best ways to defend your organization against phishing attacks motivated by 16Shop and other tools is by using ahead-of-threat detection to spot potentially malicious domains before they become active.

Continue Reading. Share this article. David Bisson is an infosec news junkie and security journalist. Press play to continue listening.The administrator of your personal data will be Threatpost, Inc.

Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter. A sophisticated malware-as-a-service phishing kit includes full customer service and anti-detection technologies. Stolen information is subsequently exfiltrated via SMTP to an attacker-controlled email inbox.

The researchers were able to intercept traffic between the kit and the C2 server, and gain access to the server panel that 16Shop rents to users. Whether its login credentials collected, emails collected, credit cards, bots or clicks, kit operators are able to see the success of their operation in a quick and efficient manner.

The analysis also showed that 16Shop is using three different anti-bot and anti-indexing features.

Digital Attackers Now Using 16Shop Phishing Kit to Target Amazon Users

The idea is to block automated crawlers used by security vendors, as well as web indexers, to limit exposure of the kit. The latest versions also employ an integration with antibot. As noted, 16Shop is distributed in a malware-as-a-service model, with operators likely located in Southeast Asia.

ZeroFOX said that a rental comes with detailed installation and tear down instructions, and some of the versions have customer service options, including live support channels, social media pages and email addresses.

Free updates and access to upsell portals round out the package. The kit initially targeted Apple users, but then moved on to Amazon last year, according to the writeup. Concerned about mobile security? Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time.


Click here to register. The malware is back after three years, looking to cash in on interest in government relief efforts around coronavirus. Notify me when new comments are added. This site uses Akismet to reduce spam. Learn how your comment data is processed. A new RAT is targeting the Azerbaijan energy sector with data-stealing tools.As users gear up to find the best deals ahead of Amazon Prime Day Salesecurity researchers Oliver Devane and Rafael Pena of McAfee Labs have discovered a critical phishing threat that has been targeting Amazon users since Maycalled 16Shop.

According to the discovery, the tool has been previously used against Apple users, wherein it created a fake login page and urged users to re-enter credit card details, thereby leading to financial theft.

The McAfee researchers have noted that while the 16Shop phishing tool may not be operated by the same person as before, it appears to be an identical copy of the one that affected many Apple users worldwide. Previously operated by an Indonesian hacker who goes under the alias of 'DevilScreaM', the 16Shop phishing tool is claimed to have been marketed to vendors through a closed Facebook group as well, which in turn may have resulted in more attackers using it to target large-scale websites such as Amazon.

While USA and Indonesia are known to be the targeted markets so far, it is not clear if Indian websites are also being targeted now. According to the information revealed so far, the 16Shop tool uses multiple domains that replicate an Amazon login screen in order to steal credentials of a users, and subsequently, previously added credit or debit card data. This can prove to be incredibly fatal, since the Amazon Prime Day Sale typically sees millions of users accessing the e-commerce giant's portal to avail time-bound deals and discounts, and often end up spending a significant chunk of money during this period.

Seeing that Amazon is slated to experience a higher amount of activity than usual, it is imperative that users remain more cautious than ever. The most certain fix for users across the world is to not access any URL that offers an Amazon login interface, apart from the official URL itself.

Emails sent with offers, or prompts that state that a user's account credentials have been suddenly reset or locked like the 16Shop attackers did with Apple are best left untouched and deleted.

According to the McAfee Labs blog post, the following six URLs are being used to lure users into a trap, and for the sake of safety, users should add these addresses to the blacklist of whichever firewall they are using. The URLs are: warning: Do not click on any of these addresses, or access voluntarily. Devane and Pena conclude their alert against this recent threat by stating, "During our monitoring, we observed over Malicious URLs serving this phishing kit which highlights its widespread use.

Click here to contribute to the cause. Subscribe to News18 Daybreak. Follow Us On.

16Shop – Malware-as-a-service Phishing Toolkit Attack PayPal Users With Anti-Detection Techniques

Shouvik Das. Share this:.


Health Dep.A new version of the 16Shop phishing kit has been observed in the wild, with more than URLs loading login aimed at collecting login information from Amazon customers. It can also adapt the phishing templates to the type of device they load on. A previous variant of the phishing kit observed since November targeted Apple users via malicious emails accompanied by a PDF file that redirected to a page asking for Apple account data, including payment card details.

In a blog post today, Oliver Devane and Rafael Pena surmise that phishing is likely the method used to lure victims into loading the fake login pages. In the case of the Apple campaign, a typical email from the threat actor urged the recipient to check the information associated with their account. The request was motivated by an alert that someone is logging in and making possibly unauthorized changes. A similar email may be used with Amazon customers.

The report details that the social media account of the group believed to be behind 16Shop changed the profile picture to something that shared elements from Amazon's official logo.


Of the URLs McAfee observed to serve the phishing kit, all of them have been marked as malicious, indicating extensive use of the threat in the wild. The Amazon version of 16Shop seems to be the original development from its creators, unlike the pirated variants that come with a backdoor. The cracked release has a local configuration file so contacting the author's server is no longer required for the API-driven validation process.

However, this free pass does not come without a price. Researchers at Akamai discovered that these copies include code that creates a second communication channel via the Telegram messaging app. The cracker implemented this functionality so they receive the same data the kit's operator gets from the victims. The code is highly obfuscated, so it becomes clear that the purpose was to double-cross anyone foolish enough to believe that they got 16Shop for free.


NASA under 'significantly increasing' hacking, phishing attacks. Not a member yet? Register Now.

16Shop Phishing Gang Goes After PayPal Users

To receive periodic updates and news from BleepingComputerplease use the form below. Learn more about what is not allowed to be posted. July 12, AM 0. Ionut Ilascu Ionut Ilascu is freelancing as a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. Previous Article Next Article. You may also like:. Popular Stories. Newsletter Sign Up To receive periodic updates and news from BleepingComputerplease use the form below.After targeting Apple and Amazon customers inthe hacking group has now modified the kit to target PayPal and certain American Express customers as well.

On further analysis, researchers found that the latest versions of 16Shop phishing kit contained three anti-bot and anti-indexing features that worked as an anti-detection mechanism. Finally, the third one employs an integration with antibot. Every phishing kit is target specific and different from the other.

Each kit comes with a deployment quota for every customer. On reaching the optimum number of deployments, 16Shop shuts shop. It operates only when the attacker operator pays for additional deployments.

The research also noted that stolen information is exfiltrated via an SMTP to an attacker-controlled email inbox. Earlier, McAfee had discovered the first version of 16Shop phishing kit in July targeted at Amazon just before its Prime Day sale. The victims received an email with a pdf file attachment that looked like an original email alert from Apple, Amazon, or any other tech company.

Once the user clicked on the link in the attached pdf file, they were redirected to a fake site where user was asked to enter sensitive information like bank account number, debit, and credit card details which were further used for financial frauds. We use your data to personalize and improve your experience as an user and to provide the services you request from us. Friday, April 17, Emails are serviced by Constant Contact.

Malicious Fleeceware Apps Affect 3. Nearly half of companies have suffered a data breach in the past year: Survey November 15, Mobile messaging apps new hideout of Dark Web activities: Study October 27, NSA hacking code lifted from a personal computer in U.

Instagram data breach!Since early November McAfee Labs have observed a phishing kit, dubbed 16Shop, being used by malicious actors to target Apple account holders in the United States and Japan. Typically, the victims receive an email with a pdf file attached. When the victims click on the link in the attached pdf file, they are redirected to a phishing site where they will then be tricked in to updating their account information, which often includes credit card details.

The author of this phishing campaign used the conversion site Pdfcrowd. The pdf tag can be seen below :. Most phishing kits will email the credit card and account details entered on the site directly to the malicious actor. The 16Shop kit does this, too, and also stores a local copy in other text files. This is a weakness in the kit because anyone visiting the site can download the clear-text files if the attacker uses the default settings.

The kit includes a local blacklist, which blocks certain IP addresses from accessing the website. This blacklist contains lots of IPs of security companies, including McAfee. The blacklisting prevents malware researchers from accessing the phishing sites. A snippet is shown below:. While looking at the code we observed several comments that appear to be tags of the creator. More on this later.

The creator of 16Shop also developed a tool to generate and send the phishing emails. We managed to gain a copy and analyze it. The preceding configuration shows how an attacker can set the subject field as well as the origin address of the email. While looking through the source files, we noticed the file list. This file contains the list of email addresses that the phisher sends to.

The example file uses the address riswandanoor yahoo. This email, along with the name in the comments from the phishing kit, could potentially tell us some more about the creators of the kit.

The author of the kit goes by the alias DevilScreaM. We also discovered two eBooks written by DevilScreaM; they contain advice on website hacking and penetration testing. In mid they began defacing sites again and posting exploits on 0day. In November We checked the group in mid-June and it now has over members and over posts. Despite the questionable content, the group not only persists unchanged on social media, but continues to grow.The analysis also explained that 16Shop is using three different anti-bot and anti-indexing features.

This indicates that threats actors behind the Phishing Kit Distribution network continuously upgrading its features and attack methods. The latest version of 16Shop obtained by the ZeroFOX Alpha Team includes several features such as an ability to block automated crawlers for security vendors, web indexers and Antibot function to check the visitor is a bot or not.

This is an interesting observation as the 16Shop authors have been attributed to be Indonesian, and there is Indonesian littered throughout their code. The new PayPal kits are designed aiming to steal the users Personally Identifiable Information as much as possible. The Phishing kit sends the collected information to its operators via SMTP to their email box, for now, the PayPal kit only supports few languages only.

These kit authors use product features and marketing tactics from SaaS products to advertise, sell, deploy, maintain and update their products.

Friday, April 17, GBHackers On Security. Leave a Reply Cancel reply. Cyber Security Courses.

[NEW] Sender Inbox HotFamily - Yahoo 2020 - Izanami666 V 1.0

Computer Security. April 6, March 28, March 25, Load more. All Rights Reserved.

thoughts on “16shop

Leave a Reply

Your email address will not be published. Required fields are marked *