What is the 16Shop Phishing Kit?
Would you share this Article with others? +
McAfee found DevilScreaM created the site Newbie-Security.or.id, an Indonesian site of hacking tools frequented by members of the Indonesian Cyber Army. McAfee also discovered two eBooks written by DevilScreaM; they contain advice on website hacking and penetration testing.
The timeline of DevilScreaM’s activity shows a notable change in late 2012 and the middle of 2013. DevilScreaM stopped defacing websites and created an anti-malware product, ScreaMAV, for the Indonesian market. This “white hat” activity did not last. In mid-2013 they began defacing sites again and posting exploits on 0day.today mostly around WordPress vulnerabilities.
DevilScreaM’s GitHub page contains various tools, including a PHP remote shell used on compromised websites as well as commits on the z1miner Monero (XMR) miner tool. in late 2017 DevilScreaM created the 16Shop phishing kit and set up a Facebook group to sell licenses and support. In November 2018. this private group had over 200 members. McAfee checked the group in mid-June 2019 and it now has over 300 members and over 200 posts. Despite the questionable content, the group not only persists unchanged on social media, but continues to grow.
McAfee has notified Facebook of the existence of this group. The social network has taken an active posture in recent months of taking down groups transacting in such malicious content.
In May 2019, several blogs were published highlighting that a version of 16shop was cracked which included a backdoor that would send all data via telegram to the author of the kit. McAfee can confirm that this was not present in the version we analysed in November. These leads us to believe that this backdoor was added by a second malicious actor and not the original author of 16Shop.
In May 2019, we found a new phishing kit which was targeting Amazon account holders. Looking at the code of the kit, you can see it shows several similarities to the 16shop kit targeting Apple users back in November 2018.
Note: Some of the names, addresses, email addresses, telephone numbers or other information in samples on this website may have been impersonated or spoofed.
Check the comment section below for additional information and share what you know or ask a question about this article by leaving a comment below.
Remember to forward suspicious, malicious, or phishing email messages to us at the following email address: email@example.com. And, report missing persons, scams, untrustworthy, or fraudulent websites to us. Tell us why you consider the websites untrustworthy or fraudulent. Also, to quickly find answers to your questions, use our search
You can help maintain Online Threat Alerts (OTA) by paying a service fee. Click here to make payment.
Comments, Questions, Answers, or Reviews
To help protect your privacy, please do not post or remove, your full name, telephone number, email address, username, password, account number, credit card information, home address or other sensitive information in or from your comments, questions, or reviews. Also, remember to keep comments, reviews, answers respectful.
Write Your Comment, Question, Answer, or Review
Write your comment, question, answer, or review in the box below to share what you know or to get answers. NB: We will use your IP address to display your approximate location to other users.