16Shop was initially detected in the wild in late 2017 by McAfee security researchers, this kit was using an Apple theme. 🖥️
Initially access to the kit was sold on Facebook 💰
Initially access to the kit was sold on Facebook 💰
The user selling 16Shop access was part of a group who are attributed as being the creators and main operators of 16Shop know as "Indonesian Cyber Army"💀
In May 2019 16Shop added a new lure to their offering targeting Amazon.
Closely following this the threat actor group added lures for both PayPal and American Express. 💳
Closely following this the threat actor group added lures for both PayPal and American Express. 💳
The kit has many notable features but I will detail some of the interesting ones in this thread. 🔐
At the end of the thread there are links to further resources if you want more detailed write-ups on the code or actors.
At the end of the thread there are links to further resources if you want more detailed write-ups on the code or actors.
The admin panel is a good place to start.
It is clearly identifiable as 16Shop and can be located under /admin/.
See the image for the HTML head information for an admin page🧑💻
It is clearly identifiable as 16Shop and can be located under /admin/.
See the image for the HTML head information for an admin page🧑💻
On the main phishing page an initial redirect occurs to /account/ and HTML parameters are appended to the URL
Within 16Shop kit there are multiple attempts to block scanners and researchers from accessing the kit. ❌
16Shop uses an Indonesian service known as anti-bot which checks a users User Agent string and will block any it suspects are bots or scanners.
On top of this there are hard coded lists of IP addresses and ranges build into the kits to prevent who subnets from viewing the kits.
On top of this there are hard coded lists of IP addresses and ranges build into the kits to prevent who subnets from viewing the kits.
When users are blocked they get returned a 403 status message.
Some variants of the kit contain a hidden telegram exfiltration method.
Once a threat actor uploaded the phishing page and a victim entered their details. The details would be sent to the controlling threat actor and also the unknown owner of the telegram channel.🤖
Once a threat actor uploaded the phishing page and a victim entered their details. The details would be sent to the controlling threat actor and also the unknown owner of the telegram channel.🤖
Public attribution for the actor behind these scams: @PhishingAi
More details on each element of the code base: @dave_daves
Thanks to @teachemtechy for reviewing the content for this thread!
More details on each element of the code base: @dave_daves
Thanks to @teachemtechy for reviewing the content for this thread!
More threads I have created:
Phishing hunting thread -
Phishing Admin Panel Hunting Thread -
Magecart Hunting Thread -
Phishing hunting thread -
Phishing Admin Panel Hunting Thread -
Magecart Hunting Thread -
