This prolific phishing campaign just added a new name to its list of targets

Crime-as-a-service offering extends its reach, so be careful about what you click on.
Written by Danny Palmer, Senior Writer

A prolific phishing and data-stealing hacking campaign has expanded its operation with new attacks that target PayPal accounts – in addition to existing attacks against Apple, Amazon and other accounts.

Dubbed 16Shop, the phishing campaign has been active since November 2018 and typically targets potential victims via malicious links in malicious emails purporting to be from common online accounts. The campaign is sold 'as-a-service' to low level hackers on underground forums.

Now the campaign – which is thought to operate out of Indonesia – has expanded operations again and is now targeting PayPal customers in an effort to steal usernames, passwords, credit card details and other personal information.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)   

The newest addition to the 16Shop phishing kit has been discovered and detailed by researchers at cybersecurity company Zerofox. The cyber criminals behind the phishing kit-as-a-service store claim that the false domains they run have attracted over 23 million visits from users who have been duped into clicking through malicious links in spam emails.

Like many other phishing campaigns, these emails attempt to coerce the victim into clicking malicious links through a false sense of urgency.

One technique commonly used in the 16Shop messages – previously detailed by researchers at McAfee Labs – is for the attackers to claim someone has accessed the target's account. The victim is then directed to a fake version of a login page for that account and asked to enter their user name and password.

By doing this, the details are handed straight to the attacker, who can use this information for theft, fraud and other malicious purposes. 16Shop campaigns have targeted users around the world and phishing messages can be sent in multiple languages – although the US and Japan appear to be the most common targets.

Like other 'as-as-service' products, 16Shop offers different tiers of phishing kit, with the most expensive kit containing the most features and abilities. 

"16Shop Developers have been one of the most skilled in our research. They are consistently updating their code, adding IP addresses, user-agents and tricks to do anti-bot and anti-scraping technology, and they do it at an impressive rate with frequent updates," Zack Allen, director of threat operations at ZeroFOX, told ZDNet.

SEE: Beware of this sneaky phishing technique now being used in more attacks

However, despite the ease-of-use of the phishing kits and how prolific the email campaigns are, there are simple things that users and organisations can do to help protect against this kind of attack.

"Practising security hygiene is always our recommendation. Use two-factor authentication especially for your financial accounts. These companies and services will never ask you to input your personal information from an email." said Allen.


Editorial standards