A prolific phishing gang known as 16Shop has added PayPal customers to its target set. According to researchers at the ZeroFOX Alpha Team, the latest version of the group’s phishing kit is designed with a number of features that are aimed to steal as much personally identifiable information (PII) as possible from users of the popular money-transfer service, including login credentials, geolocation, email address, credit-card information, phone number and more.
In investigating the kit’s infrastructure, researchers uncovered that to establish contact, the kit sends a POST request to a command-and-control (C2) server, with a password, domain and path as a form of operational security. Stolen information is subsequently exfiltrated via SMTP to an attacker-controlled email inbox. It can be used to create phishing pages in English, Japanese, Spanish, German and Thai.
The researchers were able to intercept traffic between the kit and the C2 server, and gain access to the server panel that 16Shop rents to users. They found that it’s so user-friendly that users could use it to deploy phishing pages without needing to understand any of the underlying protocols or technology.
“Much like a SaaS [software-as-a-service] product, user experience and dashboard analytics are keys to success,” ZeroFOX said
in a posting on the new kit, on Tuesday. “The 16Shop kit panel is professionally done, with reactive elements and data updating in real time. Whether its login credentials collected, emails collected, credit cards, bots or clicks, kit operators are able to see the success of their operation in a quick and efficient manner.
