Since early November 2018 McAfee Labs have observed a phishing kit, dubbed 16Shop, being used by malicious actors to target Apple account holders in the United States and Japan. Typically, the victims receive an email with a pdf file attached.
An example of the message within the email is shown below, with an accompanying translation:
When the victims click on the link in the attached pdf file, they are redirected to a phishing site where they will then be tricked in to updating their account information, which often includes credit card details.
The following is one of the many pdf files that we have seen attached to the phishing emails:
The phishing page is shown below:
The following image shows the information that is being phished:
The following map shows the locations where we have observed this phishing campaign:
The author of this phishing campaign used the conversion site Pdfcrowd.com to create the malicious pdf file, which was attached in the phishing emails. (The pdf tag can be seen below):
16Shop phishing kit
The phishing kit originates in Indonesia and the code handles multiple languages:
Most phishing kits will email the credit card and account details entered on the site directly to the malicious actor. The 16Shop kit does this, too, and also stores a local copy in other text files. This is a weakness in the kit because anyone visiting the site can download the clear-text files (if the attacker uses the default settings).
The kit includes a local blacklist, which blocks certain IP addresses from accessing the website. This blacklist contains lots of IPs of security companies, including McAfee. The blacklisting prevents malware researchers from accessing the phishing sites. A snippet is shown below:
While looking at the code we observed several comments that appear to be tags of the creator. (More on this later.)
The creator of 16Shop also developed a tool to generate and send the phishing emails. We managed to gain a copy and analyze it.
The preceding configuration shows how an attacker can set the subject field as well as the origin address of the email. While looking through the source files, we noticed the file list.txt. This file contains the list of email addresses that the phisher sends to. The example file uses the address firstname.lastname@example.org:
This email, along with the name in the comments from the phishing kit, could potentially tell us some more about the creators of the kit.
The author of 16Shop
The author of the kit goes by the alias DevilScreaM. We gathered lots of information on this actor and found that this individual was involved in the Indonesian hacking group “Indonesian Cyber Army.” Several websites were defaced by this group and tagged by DevilScreaM in 2012.
We found DevilScreaM created the site Newbie-Security.or.id, an Indonesian site of hacking tools frequented by members of the Indonesian Cyber Army. We also discovered two eBooks written by DevilScreaM; they contain advice on website hacking and penetration testing.
The timeline of DevilScreaM’s activity shows a notable change in late 2012 and the middle of 2013. DevilScreaM stopped defacing websites and created an anti-malware product, ScreaMAV, for the Indonesian market. This “white hat” activity did not last. In mid-2013 they began defacing sites again and posting exploits on 0day.today mostly around WordPress vulnerabilities.
DevilScreaM’s GitHub page contains various tools, including a PHP remote shell used on compromised websites as well as commits on the z1miner Monero (XMR) miner tool. in late 2017 DevilScreaM created the 16Shop phishing kit and set up a Facebook group to sell licenses and support. In November 2018. this private group had over 200 members. We checked the group in mid-June 2019 and it now has over 300 members and over 200 posts. Despite the questionable content, the group not only persists unchanged on social media, but continues to grow.
McAfee has notified Facebook of the existence of this group. The social network has taken an active posture in recent months of taking down groups transacting in such malicious content.
Recent News and Switch to Amazon
In May 2019, several blogs were published highlighting that a version of 16shop was cracked which included a backdoor that would send all data via telegram to the author of the kit. We can confirm that this was not present in the version we analysed in November. These leads us to believe that this backdoor was added by a second malicious actor and not the original author of 16Shop.
[Telegram Bot API command from Cracked 16shop kit to send stolen data]
In May 2019, we found a new phishing kit which was targeting Amazon account holders. Looking at the code of the kit, you can see it shows several similarities to the 16shop kit targeting Apple users back in November 2018.
[Fake Login page]
[PHP code of Phishing Kit and Admin page]
Around the same time that we discovered the Amazon Phishing Kit, the social media profile picture of the actors we believe are behind 16shop changed to a modified Amazon logo. This reinforces our findings that the same group is responsible for the development of the new malicious kit.
[Obfuscated Profile Pic]
We believe that victims of this kit will be led to the malicious websites via links in phishing emails.
We recommend that if users want to check any account changes on Amazon, which they received via email or other sources, that they go to Amazon.com directly and navigate from there rather than following suspicious links.
During our monitoring, we observed over 200 Malicious URLs serving this phishing kit which highlights its widespread use (all URLs seen have been classified as malicious by McAfee).
The group responsible for 16shop kit continues to develop and evolve the kit to target a larger audience. To protect themselves, users need to be extremely vigilant when receiving unsolicited email and messages.
This demonstrates how malicious actors use legitimate companies to leverage their attacks and gain victims’ trust and it is expected that these kinds of groups will use other companies as bait in the future.
Indicators of compromise
Domains (all blocked by McAfee WebAdvisor)
- PDF/16shop! V2 DAT =9086 , V3 DAT = 3537
For more information on phishing attacks: