INTERPOL announced last week that they had successfully taken down 16Shop, a well-known phishing-as-a-service platform. The platform, which was launched in 2017, allowed even inexperienced individuals to conduct sophisticated and convincing phishing scams. The police organization revealed that the 21-year-old owner of 16Shop, along with one of his alleged accomplices, was arrested in Indonesia. Furthermore, a third suspect was apprehended in Japan.
According to INTERPOL, 16Shop had facilitated the hacking of over 70,000 users in 43 different countries. However, given the platform’s longevity and the significant number of paying customers it had garnered over the years, experts believe that this figure significantly underestimates the true impact of 16Shop.
However, it is important to note that referring to 16Shop as merely a platform selling “hacking tools” fails to capture its true nature. Rather, 16Shop operated as a fully automated phishing platform. It provided its thousands of customers with brand-specific phishing kits and the necessary domain names to host the phishing pages and collect stolen credentials.
Security analysts who investigated 16Shop discovered that the service utilized an application programming interface (API) to manage its users. This innovation allowed the administrators to restrict access to customers who failed to pay their monthly fees or attempted to copy or pirate the phishing kit.
Furthermore, 16Shop employed various techniques to evade detection by security firms. It had a localized approach, tailoring phishing pages to specific geolocations and displaying relevant content to victims based on their location. For instance, 16Shop’s phishing kit for Japanese targets collected Web ID and Card Password, while U.S. victims were prompted to provide their Social Security Number.
To further avoid detection, 16Shop implemented a local “blacklist” of Internet addresses associated with security companies. Additionally, users could block entire ranges of Internet addresses from accessing the phishing pages. These strategies allowed 16Shop to fly under the radar and continue operating for a significant period of time.
While the INTERPOL announcement did not reveal the identities of the suspects arrested in connection with the takedown, several security firms had previously linked 16Shop to a young Indonesian individual named Riswanda Noor Saputra, who operated under the hacker alias “Devilscream.” Cyberthreat.id, an Indonesian security blog, reported that Saputra admitted to being the administrator of 16Shop but claimed to have handed off the project to others in early 2020.
However, researchers who have followed 16Shop since its inception argue that Devilscream was not the original proprietor of the platform and may not be the last. While Devilscream was arrested by Indonesian law enforcement in late 2021 as part of a joint operation with the U.S. Federal Bureau of Investigation (FBI), the true mastermind behind 16Shop remains unknown.
Interestingly, it appears that one of the recent administrators of 16Shop inadvertently infected their own machine with a password-stealing Trojan called Redline. Constella Intelligence, a platform specializing in data breaches and threat actor research, discovered this infection. The Redline Trojan stole a significant amount of data from the victim’s computer, including stored passwords, browser cookies, and authentication credentials.
When examining the data collected from the Redline infection, it became evident that the 16Shop admin used the nicknames “Rudi” and “Rizki/Rizky.” Further investigation revealed that this individual’s full name is likely Rizky Mauluna Sidik, and they are from Bandung in West Java, Indonesia. Rizky’s Facebook profiles and LinkedIn profile indicate that he is involved in hacking and web development.
Despite attempts to reach out to Rizky for comment, he did not respond. While it remains uncertain whether Rizky was the original proprietor of 16Shop or simply one of its administrators, the takedown of the platform marks a significant blow to the phishing-as-a-service community.
In conclusion, INTERPOL’s successful takedown of 16Shop and the subsequent arrests of individuals associated with the platform highlight the ongoing battle against cybercrime. The illicit use of phishing-as-a-service platforms like 16Shop underscores the need for increased cybersecurity measures and global collaboration in combatting these threats.