16Shop is a prolific phishing kit provider group that has been active for almost 3 years. The group is known for targeting high profile brands. Last year, ZeroFox discovered 16Shop’s additions of Paypal and American Express to their portfolio of kits. This week, the group released a Cash App version of their phishing kit for $70. It has been nearly a year since they have added a new brand to their arsenal, and ZeroFox detected operators deploying this new kit within hours of its release.
Phone Payment Apps Popular Amongst Friends and Foes
Phone payment apps provide customers with convenient and quick options to send or receive money. The disruption of the financial market by popular payment apps led to rapid adoption of these phone apps by consumers.
This rise in popularity of apps like Cash App also invites fraudsters to these same platforms. By linking a bank account to a payment application, cybercriminals can abuse a number of trusted relationships between the bank and the application, as well as directly target the application to steal financial information and loot accounts. The responsibility of fraud investigations then shifts to the platforms, who may not have as many years of experience dealing with these crimes.
16Shop developer DevilScreaM has been documented to be in the fraud scene for years. The pivot to a phone-based financial payments application is a new venture for 16Shop operators. DevilScreaM demonstrates commitment to the suite of products and services by performing regular updates of their arsenal and toolsets. This can be seen by tracking the version numbers of the kits as they are deployed and left accessible by operators who are performing the attacks. Given this commitment, as well as some of the operational security errors as shown later in this post, ZeroFox assesses that the Cash App kit will continue to receive updates to improve functionality and effectiveness.
The phishing kit being sold through 16Shop’s storefront was obtained by ZeroFox on the 25th February, 2021 a day after the kit’s final compile time.
Since adding detections for this variant of 16Shop, ZeroFox has discovered multiple deployments of this kit within less than a day of its initial launch, indicating that the 16Shop customer base is active and eager to deploy this kit.
Deployment of the Cash App Phishing Kit
16Shop is a sophisticated phishing kit which uses an API to validate deployments as well as supplying kits with their configuration. When an actor purchases a kit, they can populate configuration data within the 16Shop storefront, such as required parameters for the phishing URL, protections against security scanning technologies and exfiltration, or “dropper” email addresses.
Managing kits via this method presents some major benefits to the operators of 16Shop:
- Deployments have to be validated, and unauthorized users, or those that have not paid, will be unable to fully deploy the phishing kit
- Lower skilled actors have a ready-to-go, no-fuss approach to phishing kit deployment at their fingertips
- 16Shop charges licenses, and can incur regular monthly payments, which is identical to business models surrounding legitimate SaaS applications
If an operator steals and deploys the kit without registering to 16Shop, the kit’s phishing pages are rendered useless.
Whilst the main code base of the kit has not changed from other variants, the victim workflow has been adapted specifically to mirror Cash Apps own site and login workflow as closely as possible.
Lures sent to victims are generally in the form of emails and SMS messages, informing potential victims that their account has been “locked” for security reasons. 16Shop provides localization for multiple languages so operators can scam victims around the world.
Once clicking on the embedded link, multiple checks take place before the visitor is presented with the phishing page. IP address, User-Agent string and ISP information is correlated and processed in an attempt to prevent access to security technologies and web crawlers.
If these checks pass, they are taken to the 16Shop phishing page and prompted for their Cash App email address. Once the fields have been populated, a modal warns them of their account status.
The following pages in the phishing workflow ask the victim for increasingly sensitive information, starting with their Cash App PIN before stealing their personal email address and password, billing address, social security number, credit card information and identifying documents, like licenses or passports.
The kit also contains believable phishing pages targeting consumer ISP and email address providers which are dynamically presented to the victim depending on the email address they enter at the start of the victim workflow.
All information entered to the phishing pages is exfiltrated via e-mail to the dropper address configured by the operator within their 16Shop profile page.
Fingerprinting the Author
The 16Shop author DevilScreaM has already been identified publicly before as Riswanda Noor Saputra, based in Indonesia. The individual has previously been involved with website defacement, releasing hacking tools and authoring other phishing kits under multiple aliases. Phishing kit developers generally leave signatures and links in their code as a way to market their storefronts. Within this new kit, it seems DevilScreaM unintentionally left their own email address in some of the source code as a placeholder.
During the stage of the victim workflow where the user is presented with a warning modal, the email address of the author is returned to the screen, but hidden behind the dialog. Removing this element reveals the email address.
The author uses social media to advertise his wealth due to the success of operating 16Shop, and publishes posts regarding upcoming updates and new kits.
Conclusion & Takeaways
16Shop developed a sophisticated sales and deployment model for other threat actors to license phishing kits to conduct criminal activity. The security tools integrated into 16Shop make it difficult for automated tools to detect deployments of their kit. The convenience of these kits paired with the SaaS-based business model that DevilScreaM employs make this an attractive option for fraudsters and cybercriminals.
The shop offers a support network via an invite-only Telegram group, where operators can exchange tips and tricks, troubleshoot issues with the system, buy and sell infrastructure for spam, and of course, buy and sell the “loot” from these kits.
ZeroFox assesses that 16Shop will continue to operate as a top-tier service in the phishing community. The model that DevilScreaM built for his business lowers the barrier to entry for spam operators to focus on other parts of their operations, such as infrastructure and selling stolen product, while also promoting loyalty due to the constant updates and support structure with the community around 16Shop.
Although 16Shop has targeted only a select few brands throughout their history, the size and scale of these targets has allowed them to reach hundreds of thousands of potential victims and their banking details across the financial services industry. The efficacy of these kits relies on the recognition of the target brands, and as they collect different types of credit and debit card numbers, they funnel them into card shops which then are used by other actors to perform card fraud and identity theft. The notion that phishing only results in account takeover is a misconception, and takes away from the severity of these attacks and how much they can damage a person’s livelihood.
All IOCs were collected prior to 3/1/2021 5am EST.