Money app phishing package within the wild courtesy of 16Store

The developer of the 16Shop phishing platform has added a new component aimed at users of the popular Cash App mobile payment service.

The deployment of the new 16Shop product began as soon as it became available, luring potential victims to provide sensitive data that would allow fraudsters to access the account and related payment information.

16Shop is a complex phishing kit from a developer called DevilScream who has put in place a safeguard against unlicensed use and research.

The kit is commercially available and localized in several languages. Until recently, code and templates were provided to steal credentials and payment card details for PayPal, Amazon, Apple, and American Express.

Will be provided immediately upon release

However, towards the end of February, a new option with a $ 70 tag for the Cash App accounts became available in the 16Shop Store. The app is very popular with more than 10 million installations on Android and over 1.6 million reviews and gives it 4.7 out of 5 stars in the App Store.

Security researchers at cybersecurity company ZeroFOX received the new phishing kit for the Cash app on February 25th, just one day after the final compilation time.

It appears that scammers were rushing to obtain and deploy it as researchers discovered multiple deployments of 16Shop offering the Cash App phishing kit within a day.

This is a strong indication that the scam store has many customers who trust 16Shop enough to take advantage of any opportunity to steal confidential information from widely used services.

Same recipe as before

According to ZeroFOX, the kit has the same base code as the others and the template mimics the legitimate Cash app site and login workflow as closely as possible.

Victims access the phishing page via emails and SMS messages indicating a security issue that led to the Cash App account being blocked.

Clicking on the fraudulent link triggers a series of checks before loading the phishing page. The visitor’s IP address, their user agent and ISP details are collected and processed in order to determine an association with an automated action (security checks, web crawler) or a potential victim.

DevThe countermeasures against bots and indexing activities are included in the Cash App phishing kit as in the other 16Shop kits. The image below shows how the PHP code calls the Antibot service, which provides blocking controls for bots and web crawlers.

Pretext of identity confirmation

When the victim takes the bait and only gives their email address to receive a security alert of unusual activity that led to the account being suspended.

In order to regain access, the victim must provide confidential information “to confirm identity”. This includes the following:

  • Cash App PIN
  • Email-address
  • password
  • full name and address
  • Social security number
  • Payment card details
  • an ID (state ID, driver’s license)

The 16Shop phishing platform targets low-skilled cyber criminals who are looking for an easy and quick way to collect confidential accounts that they can sell on underground forums. You can configure the kit right from the store with parameters for the phishing URL, safeguards against security checks, and where the data collected will be received.

Opsec fails

Details of the developer’s identity have been released in the past based on their online trails. They all point to an Indonesian named Riswanda Noor Saputra who has a history of defacing websites, developing other phishing kits, and releasing hacking tools.

A mistake by the Cash App phishing kit author appears to confirm the same name, ZeroFOX researchers noted. After studying the code, they discovered that the developer’s email address is there, hidden behind the dialog box when the alert about unusual account activity is displayed.

Lookout researchers followed up on Opsec mistakes made by the 16Shop developer and found that he won a website design competition in 2017. They concluded that Riswanda is either very good at inventing and maintaining a fake identity, or that he is poor at protecting his real one.

One look at Riswanda’s social media activity shows that he likes to show his wealth to the world, posting details on upcoming updates and new kits. In the picture below he shows the development of the 16 Shop American Express Kit.

Comments are closed.