16Shop, currently tracked by the ZeroFOX Alpha Team, is a prolific phishing kit distribution network. Phishing kits are tools created and sold by cyber criminals which are used to fake login pages used by popular services, such as Amazon. When a victim navigates to these pages and types in their credentials, the credentials are stored, typically in either a text file or email that only the cybercriminal running the scam has access to. Using 16Shop, cybercriminals can purchase phishing kits and are given a license to distribute them for a price. The shop offered Apple kits and Amazon kits, and now recently have begun offering Paypal and American Express kits. These kits can be used to phish unsuspecting victims for their personal information, such as credit card numbers.
What makes the 16Shop kits stand out from typical phishing kits sold on marketplaces, is the use of defense/scanner evasion. By implementing a blacklist along with using free tools like an anti-crawling library called CrawlerDetect and the use of antibot.pw (a bot detection service), 16Shop’s kits can avoid detection by site crawlers and other automated defense mechanisms.
Analyst Notes
It is important that companies establish a level of communication between management and employee to educate employees on ongoing scams, like the ones run by 16Shop customers. Many phishing sites impersonate Microsoft Office365 login pages to capture employees’ corporate account credentials, which gives the attacker instant access to email and documents. By educating employees, companies protect themselves as well, because sometimes stolen credentials may be used to access private corporate information. Employees should have a clear procedure for reporting suspected phishing to the company’s security department. Requiring multi-factor authentication (MFA) for all critical remote access accounts makes it much more difficult for attackers to abuse stolen passwords. Scanning incoming email messages for links to potential phishing sites is another important defense against phishing.
For more information, see: https://www.zerofox.com/blog/16shop-adds-paypal-american-express-to-their-catalog/
https://www.zerofox.com/blog/16shop-adds-paypal-american-express-to-their-catalog/
