BLOG

16Shop Targets Cash App with Latest Phishing Kit

16Shop Targets Cash App with Latest Phishing Kit
7 minute read

16Shop is a prolific phishing kit provider group that has been active for almost 3 years. The group is known for targeting high profile brands. Last year, ZeroFOX discovered 16Shop’s additions of Paypal and American Express to their portfolio of kits. This week, the group released a Cash App version of their phishing kit for $70. It has been nearly a year since they have added a new brand to their arsenal, and ZeroFOX detected operators deploying this new kit within hours of its release.

Phone payment apps provide customers with convenient and quick options to send or receive money. The disruption of the financial market by popular payment apps led to rapid adoption of these phone apps by consumers. 

This rise in popularity of apps like Cash App also invites fraudsters to these same platforms. By linking a bank account to a payment application, cybercriminals can abuse a number of trusted relationships between the bank and the application, as well as directly target the application to steal financial information and loot accounts. The responsibility of fraud investigations then shifts to the platforms, who may not have as many years of experience dealing with these crimes. 

16Shop developer DevilScreaM has been documented to be in the fraud scene for years. The pivot to a phone-based financial payments application is a new venture for 16Shop operators. DevilScreaM demonstrates commitment to the suite of products and services by performing regular updates of their arsenal and toolsets.  This can be seen by tracking the version numbers of the kits as they are deployed and left accessible by operators who are performing the attacks. Given this commitment, as well as some of the operational security errors as shown later in this post, ZeroFOX assesses that the Cash App kit will continue to receive updates to improve functionality and effectiveness. 

Distribution

The phishing kit being sold through 16Shop’s storefront was obtained by ZeroFOX on the 25th February, 2021 a day after the kit’s final compile time.

16Shop storefront advertising targeted brands

Since adding detections for this variant of 16Shop, ZeroFOX has discovered multiple deployments of this kit within less than a day of its initial launch, indicating that the 16Shop customer base is active and eager to deploy this kit.

Deployment of the Cash App Phishing Kit

16Shop is a sophisticated phishing kit which uses an API to validate deployments as well as supplying kits with their configuration. When an actor purchases a kit, they can populate configuration data within the 16Shop storefront, such as required parameters for the phishing URL, protections against security scanning technologies and exfiltration, or “dropper” email addresses.

Configuration options presented through 16Shop storefront

Managing kits via this method presents some major benefits to the operators of 16Shop:

  1. Deployments have to be validated, and unauthorized users, or those that have not paid, will be unable to fully deploy the phishing kit
  2. Lower skilled actors have a ready-to-go, no-fuss approach to phishing kit deployment at their fingertips
  3. 16Shop charges licenses, and can incur regular monthly payments, which is identical to business models surrounding legitimate SaaS applications

If an operator steals and deploys the kit without registering to 16Shop, the kit’s phishing pages are rendered useless.

16Shop documentation instructing operators on how to deploy the kit

Victim Workflow

Whilst the main code base of the kit has not changed from other variants, the victim workflow has been adapted specifically to mirror Cash Apps own site and login workflow as closely as possible.

Lures sent to victims are generally in the form of emails and SMS messages, informing potential victims that their account has been “locked” for security reasons. 16Shop provides localization for multiple languages so operators can scam victims around the world. 

Once clicking on the embedded link, multiple checks take place before the visitor is presented with the phishing page. IP address, User-Agent string and ISP information is correlated and processed in an attempt to prevent access to security technologies and web crawlers.

PHP code calling the antibot[.]pw api, a popular provider of bot/web crawler blocking controls for phishing kits

If these checks pass, they are taken to the 16Shop phishing page and prompted for their Cash App email address. Once the fields have been populated, a modal warns them of their account status.

Warning modal presented to victims during the phishing workflow

The following pages in the phishing workflow ask the victim for increasingly sensitive information, starting with their Cash App PIN before stealing their personal email address and password, billing address, social security number, credit card information and identifying documents, like licenses or passports.

Screenshots of victim workflow prompting for email credentials, billing address and debit card information.
Victim prompted to upload identification which is sent directly to the operator.

The kit also contains believable phishing pages targeting consumer ISP and email address providers which are dynamically presented to the victim depending on the email address they enter at the start of the victim workflow.

PHP code responsible for redirecting victims to phishing pages targeting their mailbox provider

All information entered to the phishing pages is exfiltrated via e-mail to the dropper address configured by the operator within their 16Shop profile page.

Template for one of the several emails sent to the configured dropper email address

Fingerprinting the Author

The 16Shop author DevilScreaM has already been identified publicly before as Riswanda Noor Saputra, based in Indonesia. The individual has previously been involved with website defacement, releasing hacking tools and authoring other phishing kits under multiple aliases. Phishing kit developers generally leave signatures and links in their code as a way to market their storefronts. Within this new kit, it seems DevilScreaM unintentionally left their own email address in some of the source code as a placeholder.

During the stage of the victim workflow where the user is presented with a warning modal, the email address of the author is returned to the screen, but hidden behind the dialog. Removing this element reveals the email address.

The author uses social media to advertise his wealth due to the success of operating 16Shop, and publishes posts regarding upcoming updates and new kits.

Screenshot taken from Riswanda’s social media, showing development on the 16Shop American Express kit.

Conclusion & Takeaways

16Shop developed a sophisticated sales and deployment model for other threat actors to license phishing kits to conduct criminal activity. The security tools integrated into 16Shop make it difficult for automated tools to detect deployments of their kit. The convenience of these kits paired with the SaaS-based business model that DevilScreaM employs make this an attractive option for fraudsters and cybercriminals.

The shop offers a support network via an invite-only Telegram group, where operators can exchange tips and tricks, troubleshoot issues with the system, buy and sell infrastructure for spam, and of course, buy and sell the “loot” from these kits. 

ZeroFOX assesses that 16Shop will continue to operate as a top-tier service in the phishing community. The model that DevilScreaM built for his business lowers the barrier to entry for spam operators to focus on other parts of their operations, such as infrastructure and selling stolen product, while also promoting loyalty due to the constant updates and support structure with the community around 16Shop. 

Although 16Shop has targeted only a select few brands throughout their history, the size and scale of these targets has allowed them to reach hundreds of thousands of potential victims and their banking details across the financial services industry. The efficacy of these kits relies on the recognition of the target brands, and as they collect different types of credit and debit card numbers, they funnel them into card shops which then are used by other actors to perform card fraud and identity theft. The notion that phishing only results in account takeover is a misconception, and takes away from the severity of these attacks and how much they can damage a person’s livelihood.

Indicators

All IOCs were collected prior to 3/1/2021 5am EST.

16Shop-Cash-V1.zip
32b394e166bcc003d13d6a478396fb15
D5b216af7fe3aad68818021e02fca615f467592e
16ec2fe044179a4a92419b0cb379955aec46c14d7facbfb0634e71bee5c9dd5c
uningkuu[.]hstn[.]me
cash-supportservice19318anjink[.]duckdns[.]org
sign-cashapp[.]com
babingesot[.]com
cash-login-445[.]xyz
cashapp-verify[.]servehalflife[.]com
formacionortodoncia[.]com
solosoez[.]com
cashapp-supports[.]jukecvmao[.]com
secure3[.]containersappcash[.]com
cashapp-support[.]servehalflife[.]com
cashapp-supports[.]vrenahudar[.]com
appverify-us[.]serveirc[.]com
cash[.]app-account-support[.]live
cash[.]app-accounts-support[.]live
cash[.]app-accountz-support[.]live
cash-app-manage[.]fs5[.]klockars[.]com
manage-app-cash[.]fs4[.]htclink[.]com
service-manage-app-cash[.]fe3[.]ryanb[.]com
urjabatteries[.]com
apessss[.]milsaceekoooo[.]com
suportpayment[.]namksdued3rioooo[.]com
cashapp-support[.]servehalflife[.]com

Get
Started

Stay Informed

Best practices, the latest research, and breaking news, delivered right to your inbox.