Since 2019, ZeroFox Alpha Team has been tracking a prolific phishing kit distribution network known as “16Shop”. Phishing kits services run similarly to software-as-a-service (SaaS) products- users can purchase these kits and are given a license to distribute them for a cost. They are also provided installation and tear down instructions, updates for no additional cost, and access to portals to purchase more kits. Some phishing kit distribution networks even have live support channels, social media pages and email addresses.
16Shop has been publicly attributed to a group called Indonesian Cyber Army, and specifically, one of the authors, DevilScreaM, has his moniker plastered over the kit code and distribution network. The kit first made a splash by targeting Apple kits, then moved to Amazon and was uncovered by McAfee right before Amazon Prime Day in 2019.
Automation Prevention and Paranoia
In early January 2020, ZeroFox Alpha Team obtained a phishing kit from 16Shop that targets Paypal customers, as well as information indicating they have an American Express kit. This shows that the group is continuing to add to their product and adding brands to their phishing kit portfolio. The kit obtained by Alpha Team has the following zip structure:
Higher tier phishing kits such as 16Shop have a number of features, one of them being the ability to block automated crawlers for security vendors, as well as web indexers, to limit exposure of the kit. The latest versions of 16Shop’s Amazon, Apple and now Paypal kit employ 3 anti-bot and anti-indexing features. The first being a simple blacklist file under security, with a file named blacklist.dat. Secondly, they use an open-source anti-crawling library called CrawlerDetect.
Antibot has an API endpoint where 16Shop operators can load an API key into the kit and the kit will send the visitor’s User-Agent out to antibot to see if a visitor is a “bot or not”. The antibot website is in English as well as Indonesian. This is an interesting observation as the 16Shop authors have been attributed to be Indonesian, and there is Indonesian littered throughout their code. Antibot integrations exist with other phishing kits, such as Hijalyh, which is also an Indonesian based kit. Antibot also offers services for link shortening, link clickthrough and tracking, as well as Bank Identification Number (BIN) checking.
Much like any SaaS product, many features of 16Shop are “a la carte”, and adding additional features helps the operators land and expand when selling their kits. For example, a kit author could purchase only an Amazon kit, and then see a new Paypal kit with great antibot features, so it incurs a “fear of missing out” and causes the operator to purchase the new package. The authors also make an honest attempt to block as much security scanning and indexing engines as possible, as the quicker these automated tools uncover phishing websites, the faster they get taken down. Lastly, 16Shop employs a Digital Rights Management (DRM), limiting the number of deploys per kit unless you buy more.
Paypal Kit Features
The Paypal kit, much like the Apple and Amazon kit, is designed with a number of features that are aimed to steal as much Personally Identifiable Information (PII) as possible. It has similar DRM features as Amazon and Apple pages, where once a kit is deployed, the kit reaches out to a DRM Command and Control (C2) server for authorization:
By intercepting traffic between 16Shop kits and the C2 server, you can see the server panel for kit operators.
Much like a SaaS product, user experience and dashboard analytics are keys to success. The 16Shop kit panel is professionally done, with reactive elements and data updating in real time. Whether it’s login credentials collected, emails collected, credit cards, bots or clicks, kit operators are able to see the success of their operation in a quick and efficient manner. The goal of phishing kits is to make this experience seamless, so not-so-technical kit operators can deploy phishing pages without needing to understand the underlying protocols behind managing this infrastructure. This kit also merges dashboard functionality regardless of the scam page an operator buys, so the operator gets an integrated experience whether they purchase one or multiple kits.
Stolen information is exfiltrated via SMTP to an attacker-controlled email inbox.
The kit makes an attempt to collect as much information as possible, including country-specific PII, as seen in the photo. The kit has fewer languages supported in Paypal in comparison to Amazon or Apple, indicating they are still working on adding localizations.
Phishing kits are becoming more popular, as they allow an ecosystem where more technical cybercriminals sell services and reduce the barrier to entry for less technical operators. These kit authors use product features and marketing tactics from SaaS products to advertise, sell, deploy, maintain and update their products. 16Shop is especially adept at deploying antibot features as well as DRM to maintain their licensing and to try to upsell to current customers.
ZeroFox Alpha Team has coordinated with the phishing research community on combating these kits and the cybercriminal economy behind them. We’d like to thank everyone on Twitter who has contributed research to combating phishing kits, especially dave (@dave_daves), and other defenders.
We are presenting our research on phishing kits at Shmoocon on February 1st, where we will have more detail on the C2 infrastructure behind 16Shop and other kits. Come check us out!