CampaignSMS

Karma Catches Up to Global Phishing Service 16Shop – Krebs on … – Krebs on Security

You’ve probably never heard of “16Shop,” but there’s a good chance someone using it has tried to phish you.
A 16Shop phishing page spoofing Apple and targeting Japanese users. Image: Akamai.com.
The international police organization INTERPOL said last week it had shuttered the notorious 16Shop, a popular phishing-as-a-service platform launched in 2017 that made it simple for even complete novices to conduct complex and convincing phishing scams. INTERPOL said authorities in Indonesia arrested the 21-year-old proprietor and one of his alleged facilitators, and that a third suspect was apprehended in Japan.
The INTERPOL statement says the platform sold hacking tools to compromise more than 70,000 users in 43 countries. Given how long 16Shop has been around and how many paying customers it enjoyed over the years, that number is almost certainly highly conservative.
Also, the sale of “hacking tools” doesn’t quite capture what 16Shop was all about: It was a fully automated phishing platform that gave its thousands of customers a series of brand-specific phishing kits to use, and provided the domain names needed to host the phishing pages and receive any stolen credentials.
Security experts investigating 16Shop found the service used an application programming interface (API) to manage its users, an innovation that allowed its proprietors to shut off access to customers who failed to pay a monthly fee, or for those attempting to copy or pirate the phishing kit.
16Shop also localized phishing pages in multiple languages, and the service would display relevant phishing content depending on the victim’s geolocation.
Various 16Shop lures for Apple users in different languages. Image: Akamai.
For example, in 2019 McAfee found that for targets in Japan, the 16Shop kit would also collect Web ID and Card Password, while US victims will be asked for their Social Security Number.
“Depending on location, 16Shop will also collect ID numbers (including Civil ID, National ID, and Citizen ID), passport numbers, social insurance numbers, sort codes, and credit limits,” McAfee wrote.
In addition, 16Shop employed various tricks to help its users’ phishing pages stay off the radar of security firms, including a local “blacklist” of Internet addresses tied to security companies, and a feature that allowed users to block entire Internet address ranges from accessing phishing pages.
The INTERPOL announcement does not name any of the suspects arrested in connection with the 16Shop investigation. However, a number of security firms — including Akamai, McAfee and ZeroFox, previously connected the service to a young Indonesian man named Riswanda Noor Saputra, who sold 16Shop under the hacker handle “Devilscream.”
According to the Indonesian security blog Cyberthreat.id, Saputra admitted being the administrator of 16Shop, but told the publication he handed the project off to others by early 2020.
16Shop documentation instructing operators on how to deploy the kit. Image: ZeroFox.
Nevertheless, Cyberthreat reported that Devilscream was arrested by Indonesian police in late 2021 as part of a collaboration between INTERPOL and the U.S. Federal Bureau of Investigation (FBI). Still, researchers who tracked 16Shop since its inception say Devilscream was not the original proprietor of the phishing platform, and he may not be the last.
It is not uncommon for cybercriminals to accidentally infect their own machines with password-stealing malware, and that is exactly what seems to have happened with one of the more recent administrators of 16Shop.
Constella Intelligence, a data breach and threat actor research platform, now allows users to cross-reference popular cybercrime websites and denizens of these forums with inadvertent malware infections by information-stealing trojans. A search in Constella on 16Shop’s domain name shows that in mid-2022, a key administrator of the phishing service infected their Microsoft Windows desktop computer with the Redline information stealer trojan — apparently by downloading a cracked (and secretly backdoored) copy of Adobe Photoshop.
Redline infections steal gobs of data from the victim machine, including a list of recent downloads, stored passwords and authentication cookies, as well as browser bookmarks and auto-fill data. Those records indicate the 16Shop admin used the nicknames “Rudi” and “Rizki/Rizky,” and maintained several Facebook profiles under these monikers.
It appears this user’s full name (or at least part of it) is Rizky Mauluna Sidik, and they are from Bandung in West Java, Indonesia. One of this user’s Facebook pages says Rizky is the chief executive officer and founder of an entity called BandungXploiter, whose Facebook page indicates it is a group focused mainly on hacking and defacing websites.
A LinkedIn profile for Rizky says he is a backend Web developer in Bandung who earned a bachelor’s degree in information technology in 2020. Mr. Rizky did not respond to requests for comment.

This entry was posted on Thursday 17th of August 2023 03:58 PM
I tend to worry mostly about phishing attacks by text messages these days. The article didn’t say whether 16Shop kits were limited to e-mail and web pages. With the difficulty of vetting scams using text messages, wouldn’t that be a likely profitable approach for 16Shop as well?
It seems that many of the Two Factor Authentication methods involve sending a text message to your cell phone containing a PIN. But then an attacker tells a victim that they just sent them a PIN to their cell phone and the victim must read it back to confirm the victim’s identity. He reads it back and there goes his bank account.
Or attackers can swap SIM cards in some cases and take over the victim’s calls and text messages so that they can respond to incoming PIN numbers and verify themselves as the victim.
One thing I’m curious about is whether something like Google Voice might be better to use as a two factor authentication number. No SIM card, so no SIM card swap. If you use a Google Voice number for text messages, how easy would it be for an attacker to get Google to hand over the number to them? Is it more difficult than swapping SIM cards?
And whether or not you have two factor authentication via text messages on a cell phone or an on-line phone, the idea that the text messages are becoming so commonly used to control access to secure sites is scary.
One thing in my favor is that I don’t pay much attention to telephones. My primary use for it is for emergencies. On the other hand, I depend heavily on e-mail, but at least we can dig through the headers on an e-mail to get some idea about whether the e-mail seems legitimate.
And the use of +aliases to help in filtering the e-mails. For some of my more sensitive e-mail traffic such as for banks and credit card companies, I have set the sieve filter so that they look at both the sender address and the exact destination aliased address, to tag them appropriately. If only one of the sender or the destination address matches, then it still adds the tag, but it also adds a WARNING tag to let me know that it is more likely a scam.
I have seen posts on Reddit where people use Google voice to get around simjacking. I have no first hand knowledge of this.
I use a secure ID air gapped token generator where money is involved.
NIST has a funny way of saying SMS is not allowed. They call it restricted. Google SP800-63.
I do wonder with the expanding facility of AI-generated voice matching how easy it would be to spoof a voice.
Dear Brian, Thank you for keeping up the good fight. The information you provide is so useful. It looks like you will never run out of topics, since the internet will never run out of crimes.
You wrote: “It is not uncommon for cybercriminals to accidentally infect their own machines with password-stealing malware […]” Hilarious! Poetic justice…
Brian, your “continue reading” link is not at the bottom of this story on the main page. I knew to come here, but others won’t.
I do wonder with the expanding facility of AI-generated voice matching how easy it would be to spoof a voice.
i’m not a very highly evolved primate, so i don’t use a mobile phone [capital letters], i.e., all codes are received through google voicemail. but many companies won’t deal with users who only have gmail addresses, so we unhighly evolved ones get left out in the cold with the monkeys.
It appears that American Express may have decided that SMS messages are not a secure idea. I received an e-mail from American Express tonight that said they will discontinue sending most notifications by SMS toward the end of September. The notification messages will be delivered by e-mail or by their own app.
I have heard that scammers frequently send out SMS messages that purport to be from major credit cards in order to get their target to fall for their scams. So this sounds like a really good move.
And the e-mail from American Express was sent to a secret e-mail address of mine that only they have (first thing I checked). So it is most likely actually from American Express.
Since e-mail is so easily taken over (unless using MFA for it too), I prefer an App from the Financial Institution or using an authenticator App over e-mail or SMS.
Your email address will not be published. Required fields are marked *







Mailing List
Search KrebsOnSecurity
Recent Posts
Spam Nation
A New York Times Bestseller!
Thinking of a Cybersecurity Career?
Read this.
All About Skimmers
Click image for my skimmer series.
Story Categories
The Value of a Hacked PC
Badguy uses for your PC
Badguy Uses for Your Email
Your email account may be worth far more than you imagine.
Most Popular Posts
Why So Many Top Hackers Hail from Russia
Category: Web Fraud 2.0
Innovations from the Underground
ID Protection Services Examined
Is Antivirus Dead?
The reasons for its decline
The Growing Tax Fraud Menace
File ’em Before the Bad Guys Can
Inside a Carding Shop
A crash course in carding.
Beware Social Security Fraud
Sign up, or Be Signed Up!
How Was Your Card Stolen?
Finding out is not so easy.
Krebs’s 3 Rules…
…For Online Safety.

source

Leave a Reply

Your email address will not be published. Required fields are marked *