»

What is the 16Shop Phishing Kit?

 +
What is the 16Shop Phishing Kit?

Would you share this Article with others?

The 16Shop Phishing kit is being used by cybercriminals to target online account holders. Typically, the victims receive an email with a pdf file attached. The author or creator of the kit goes by the alias DevilScreaM. McAfee, a security software company, gathered lots of information on the author and found that this individual was involved in the Indonesian hacking group “Indonesian Cyber Army.” Several websites were defaced by this group and tagged by DevilScreaM in 2012.

McAfee found DevilScreaM created the site Newbie-Security.or.id, an Indonesian site of hacking tools frequented by members of the Indonesian Cyber Army. McAfee also discovered two eBooks written by DevilScreaM; they contain advice on website hacking and penetration testing.

The timeline of DevilScreaM’s activity shows a notable change in late 2012 and the middle of 2013. DevilScreaM stopped defacing websites and created an anti-malware product, ScreaMAV, for the Indonesian market. This “white hat” activity did not last. In mid-2013 they began defacing sites again and posting exploits on 0day.today mostly around WordPress vulnerabilities.

DevilScreaM’s GitHub page contains various tools, including a PHP remote shell used on compromised websites as well as commits on the z1miner Monero (XMR) miner tool. in late 2017 DevilScreaM created the 16Shop phishing kit and set up a Facebook group to sell licenses and support. In November 2018. this private group had over 200 members. McAfee checked the group in mid-June 2019 and it now has over 300 members and over 200 posts. Despite the questionable content, the group not only persists unchanged on social media, but continues to grow.

McAfee has notified Facebook of the existence of this group. The social network has taken an active posture in recent months of taking down groups transacting in such malicious content.

In May 2019, several blogs were published highlighting that a version of 16shop was cracked which included a backdoor that would send all data via telegram to the author of the kit. McAfee can confirm that this was not present in the version we analysed in November. These leads us to believe that this backdoor was added by a second malicious actor and not the original author of 16Shop.

In May 2019, we found a new phishing kit which was targeting Amazon account holders. Looking at the code of the kit, you can see it shows several similarities to the 16shop kit targeting Apple users back in November 2018.

Note: Some of the names, addresses, email addresses, telephone numbers or other information in samples on this website may have been impersonated or spoofed.

Please share what you know or ask a question about this article by leaving a comment below. Also, check the comment section below for additional information, if there is any.

Remember to forward suspicious, malicious, or phishing email messages to us at the following email address: info@onlinethreatalerts.com

Also, report missing persons, scams, untrustworthy, or fraudulent websites to us. Tell us why you consider the websites untrustworthy or fraudulent.

If you want to quickly find answers to your questions, use our search engine.

You can help maintain Online Threat Alerts (OTA) by paying a service fee. Click here to make payment.

Comments, Questions, Answers, or Reviews
There are no comments as yet, please leave one below or revisit.

To help protect your privacy, please do not post or remove, your full name, telephone number, email address, username, password, account number, credit card information, home address or other sensitive information in or from your comments, questions, or reviews.

Write Your Comment, Question, Answer, or Review
Write your comment, question, answer, or review in the box below to share what you know or to get answers. NB: We will use your IP address to display your approximate location to other users.
Your comment, question, answer, or review will be posted as an anonymous user because you are not signed in. Anonymous posts cannot be edited or deleted. Sign-in.

More on Online Threat Alerts (OTA):
What is the 16Shop Phishing Kit?