Your data, stolen twice: Pirated phishing kit contains hidden backdoor
Phishing is an evergreen security issue, as criminals trading in personally identifiable information now have numerous avenues to monetize this information-including identity theft, improper access to banking accounts, and resale of information gathered through access of cloud-based storage systems. Phishers go to such great lengths to clone existing websites-particularly the login pages of popular services, and banking websites-that a well-developed clone can be sold to other criminals looking to embark on their own phishing campaigns.
16Shop, a phishing package that targets Apple users, is "highly sophisticated," according to findings from cloud service provider Akamai, published Tuesday. "It has layered defenses, as well as attack mechanisms, all constructed neatly within hundreds of files. It's a true multi-level kit, running different stages for different brands, depending on the information the victim provides. It has the ability to change its layout and presentation depending on platform, so mobile users will see a website tailored to their device, while desktop users see something better suited to their situation."
SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)
The package is developed and sold by an Indonesian developer known as Riswanda or "devilscream," though Akamai notes that it is unclear if the developer has created "a sophisticated false identity, or given up on the notion of protecting their real identity entirely."
16Shop focuses primarily on Apple or iCloud logins, with themes for each, though can also be used for "Yahoo and Yahoo Japan, AOL, Gmail, Hotmail, and Hotmail Japan, in addition to a generic email login, for domains that are not familiar," according to Akamai. It also targets banking details for 117 banks, including major US banks such as Bank of America, Capital One, Chase, Citi, USAA, and Wells Fargo.
Purchasers of 16Shop are given a license for use, which also acts as an anti-piracy system. Nominally, these purchasers would deploy 16Shop on their own infrastructure, for use with phishing emails or other methods to direct users to their forms. For the pirated version of 16Shop, the harvested credentials and credit card information is also transmitted using an obfuscated backchannel, sending data to the group that cracked 16Shop via Telegram-effectively offloading the heavy lifting of operating campaigns and maintaining servers hosting 16Shop to pirates, while the group that cracked 16Shop gains access to the fruits of their labor.
"At first glance, 16Shop's landing page looks exactly like Apple's legitimate one, but there are tiny differences that humans can be trained to spot," Akamai noted. "There are font differences, the URL, even the fact that in some iterations of 16Shop, the victim is prompted to enter a username and password into the same form, something Apple doesn't do."
For more on protecting your organization against phishing threats, check out " Hackers impersonate Microsoft more than any other brand in phishing attacks," and "Why you need to use DMARC and SPF on mail servers to prevent phishing and fraud."