Group-IB, a global cybersecurity leader headquartered in Singapore, has participated in an international operation involving INTERPOL and national law enforcement agencies in Indonesia, Japan and the United States targeting the notorious ‘phishing-as-a-service’ (PaaS) platform 16shop, on which phishing kits were sold. The phishing kits were designed to steal credentials and payment details from users of popular services such as Apple, PayPal, American Express, Amazon, Cash App, and others. As a result of the special operation coordinated by INTERPOL, 16shop was shut down and its 21-year-old operator and two suspected facilitators were arrested, one in Indonesia and one in Japan. Group-IB’s Cyber Investigation team in the Asia-Pacific region helped to track down the suspect and identify the victims.
The arrest marked the culmination of intensive intelligence sharing between the INTERPOL cybercrime directorate, national law enforcement in Indonesia, Japan, and the United States, and private sector partners including Group-IB.
Data collected by Group-IB indicate that more than 150,000 phishing domains were created using the phishing kits in question. The phishing kits sold on 16shop were utilized to target users in Germany, Japan, France, the USA, the UK, Thailand and other countries. Phishing kits represent archive files with a set of scripts that ensure the work of a phishing website. This toolset enables cybercriminals with modest programming skills to deploy phishing pages quickly and in large numbers, often using them as substitutes for each other.
According to Group-IB, the phishing kits in question had been traded on the cybercriminal underground since at least November 2017. The phishing kits were being sold at a relatively modest price of US $60-150 depending on the targeted brand. As such, fake pages mimicking Amazon were offered for $60, and phishing pages targeting the users of American Express – for $150. The developers of the phishing kits ensured the localization of phishing pages in more than 8 languages. A victim would see relevant phishing content depending on their geolocation. This feature allowed the buyers of these phishing kits to target victims almost anywhere in the world. Group-IB’s Cyber Investigation unit supported the operation by analyzing the infrastructure used by the suspect and collecting their digital traces to ultimately establish their identity. Group-IB’s experts also helped to identify some victims in Indonesia.
The INTERPOL team compiled and dispatched a criminal intelligence report to the Indonesian National Police’s Directorate of Cyber Crimes, which allowed national law enforcement to apprehend a suspected 21-year-old administrator in 2022, seizing electronic items and several luxury vehicles in the process. Following the successful apprehension of the administrator, further information was shared between the National Police Agency of Japan and the Indonesian National Police resulting in the identification and arrest of two suspected facilitators.
“Cyberattacks such as phishing may be borderless and virtual in nature, but their impact on victims is real and devastating. In recent years, we have seen an unprecedented increase in both the number of cyber threats and their sophistication, with attacks becoming more tailored as criminals aim for maximum impact, and maximum profit.”
INTERPOL’s Assistant Director of Cybercrime Operations
“The campaign targeting 16shop is yet another operation that aligns closely with Group-IB’s mission of fighting cybercrime worldwide. This is a great example of cross-border collaboration and swift threat intelligence sharing – the only way forward to reduce the global impact of cybercrime. Group-IB’s Threat Intelligence platform allows us to spot phishing resources as they appear and continuously track phishing kits traded in the underground. And we will continue to leverage our technologies and a global threat-hunting network to make cyberspace safer.”
CEO at Group-IB
Group-IB has been an active partner in global anti-cybercrime actions led by INTERPOL since 2017 when it signed a data-sharing agreement with INTERPOL. It marks the second INTERPOL operation involving Group-IB experts this summer. In July, Group-IB’s Cyber Investigation and Threat Intelligence units participated in Operation Nervone. Under the auspices of Operation Nervone, authorities in Côte d’Ivoire were able to arrest a key suspect linked to attacks against financial institutions across Africa carried out by a cybercriminal syndicate dubbed OPERA1ER by Group-IB.
