What is the 16Shop Phishing Kit?

The 16Shop Phishing kit is being used by cybercriminals to target online account holders. Typically, the victims receive an email with a pdf file attached. The author or creator of the kit goes by the alias DevilScreaM. McAfee, a security software company, gathered lots of information on the author and found that this individual was involved in the Indonesian hacking group “Indonesian Cyber Army.” Several websites were defaced by this group and tagged by DevilScreaM in 2012.

What is the 16Shop Phishing Kit?

McAfee found DevilScreaM created the site Newbie-Security.or.id, an Indonesian site of hacking tools frequented by members of the Indonesian Cyber Army. McAfee also discovered two eBooks written by DevilScreaM; they contain advice on website hacking and penetration testing.

The timeline of DevilScreaM’s activity shows a notable change in late 2012 and the middle of 2013. DevilScreaM stopped defacing websites and created an anti-malware product, ScreaMAV, for the Indonesian market. This “white hat” activity did not last. In mid-2013 they began defacing sites again and posting exploits on 0day.today mostly around WordPress vulnerabilities.

DevilScreaM’s GitHub page contains various tools, including a PHP remote shell used on compromised websites as well as commits on the z1miner Monero (XMR) miner tool. in late 2017 DevilScreaM created the 16Shop phishing kit and set up a Facebook group to sell licenses and support. In November 2018. this private group had over 200 members. McAfee checked the group in mid-June 2019 and it now has over 300 members and over 200 posts. Despite the questionable content, the group not only persists unchanged on social media, but continues to grow.

McAfee has notified Facebook of the existence of this group. The social network has taken an active posture in recent months of taking down groups transacting in such malicious content.

In May 2019, several blogs were published highlighting that a version of 16shop was cracked which included a backdoor that would send all data via telegram to the author of the kit. McAfee can confirm that this was not present in the version we analysed in November. These leads us to believe that this backdoor was added by a second malicious actor and not the original author of 16Shop.

In May 2019, we found a new phishing kit which was targeting Amazon account holders. Looking at the code of the kit, you can see it shows several similarities to the 16shop kit targeting Apple users back in November 2018.

Check the comment section below for additional information, share what you know, or ask a question about this article by leaving a comment below. And, to quickly find answers to your questions, use our search Search engine.

Note: Some of the information in samples on this website may have been impersonated or spoofed.
Was this article helpful?  +
Share this with others:

Comments, Questions, Answers, or Reviews

There are no comments as yet, please leave one below or revisit.

To protect your privacy, please do not post or remove sensitive information in or from your comments, questions, or reviews. NB: We will use your IP address to display your approximate location to other users when you make a post. That location is not enough to find you.

Your comment, answer, or review will be set as anonymous because you are not signed in. An anonymous comment, answer, or review cannot be edited or deleted, therefore, review it carefully before posting. Sign-in.

Write Your Comment, Question, Answer, or Review

What is the 16Shop Phishing Kit?