A new version of the phishing kit from 16Shop has been observed in the wild, with more than 200 connection load URLs to collect login information from Amazon customers.
16Shop is a sophisticated commercial product offering protection against unlicensed use and search attempts. It can also adapt phishing templates to the type of device on which they are loaded.
An earlier version of the phishing kit observed since November 2018 targeted Apple users via malicious emails accompanied by a PDF file redirected to a page requesting Apple account data, including credit card details.
McAfee researchers noticed in May 2019 a new part of the tool, focused on Amazon users, revealed by the PHP code of 16Shop.
In a blog post today, Oliver Devane and Rafael Pena assume that phishing is probably the method used to lure victims into loading fake login pages.
In the case of the Apple campaign, a typical email from the threatening actor urged the recipient to verify the information associated with his account.
The request was motivated by an alert indicating that someone was logging in and possibly making unauthorized changes. A similar email can be used with Amazon customers.
The report says that the group's social media account, supposed to be behind 16Shop, has changed the profile picture into an item that shares elements of the official Amazon logo.
McAfee found that, of the 200 URLs serving the phishing kit, they were all marked as malicious, which indicates an intensive use of the threat in the wild.
The Amazon version of 16Shop seems to be the original development of its creators, unlike pirated variants delivered with a backdoor.
The cracked version contains a local configuration file. Therefore, it is no longer necessary to contact the author server for the validation process driven by the API.
However, this free pass is not priceless. Akamai researchers have discovered that these copies include code that creates a second communication channel via the Telegram messaging application.
The hacker implemented this feature to receive the same data as the kit operator receives victims. The code is very obfuscating, so it becomes clear that the goal was to dupe anyone stupid enough to believe that he had received 16Shop for free.