The developer of the 16Shop phishing platform added a new component that targets users of popular Cash App mobile payment service, according to reports. 

16Shop is a phishing kit from a developer known as DevilScream, says BleepingComputer, and is available and localized in multiple languages. The new component lures potential victims, asking them to provide sensitive details that would allow fraudsters to access their accounts and payment information. 

ZeroFOX says the group is known for targeting high profile brands and has been active for nearly three years. The phishing kit being sold through 16Shop’s storefront was obtained by ZeroFOX on the 25th February, 2021 a day after the kit’s final compile time. Since adding detections for this variant of 16Shop, ZeroFOX has discovered multiple deployments of this kit within less than a day of its initial launch, indicating that the 16Shop customer base is active and eager to deploy this kit.

Justin Albrecht, Security Intelligence Engineer at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, explains, “16Shop is a cautionary tale that reflects growing trends we’re seeing with other types of threats such as Banking Trojans, Spyware, and even private surveillance companies. The barrier to entry for cybercriminals is getting lower, which means we see more of them every day. These actors are adopting the SaaS model broadly, the prices are usually cheap, and the profits far outweigh the costs. In this case the increased adoption of a relatively new technology, mobile payments, creates an even greater threat as users are prone to falling for phishing links and social engineering.

"The continued success of the 16Shop kit and its expanded targeting provide the perfect example of growing trends across both the threat landscape and consumer behavior. The popularity of mobile payment applications such as Cash App is booming, which presents a tempting target to threat actors as mobile users are far more likely to fall victim to phishing attacks than desktop users." 

Albrecht says DevilScream has adopted a SaaS business model for providing phishing services. "This represents the growing trend of Malware-as-a-Service making it easier for non-technical criminals to become involved in cybercrime. Threat actors ranging from low-level criminals to nation states are taking advantage of malware developers shifting to a SaaS model. It’s being widely adopted because it provides both anonymity as well as reduced overhead for creating a campaign. 

Albreacht adds, "The malicious actors behind these phishing campaigns flip anti-bot and anti-crawler tools and techniques that were originally meant to prevent criminal behavior and use them to avoid detection. Some of these tools and techniques include:

  • CrawlerDetect (used by 16shop)
  • Antibot.pw checks (used by 16shop) 
  • BlackHole (open source bot trap)
  • VPN range filtering
  • User Agent filtering

"Another example of this, though not for 16Shop, is threat actors beefing up the SEO of compromised websites before staging malware to be delivered. Malicious SEO has been around for a while, but this represents another example of the flip of mainstream business or marketing practices to have increased success in criminal campaigns.”