Background
Group-IB made a significant contribution to an international crime fighting operation involving INTERPOL and national law enforcement agencies from Indonesia, Japan and the United States that targeted the notorious ‘phishing-as-a-service’ (PaaS) platform 16shop.
This complicated scam operation piqued our interest due to its global scale, reaching the United States, Japan, Germany, and Indonesia, among others. The phishing kits sold on 16shop were designed to steal credentials and payment details from users of popular online services such as Apple, PayPal, American Express, Amazon, Cash App, etc.
In this case, Group-IB alerted law enforcement in the region to the rising problem of phishing attacks and our expertise played a role in concluding the investigation, which led to the arrest of three suspects believed to be the site’s original administrator and two facilitators.
Behind the scenes
In an interview conducted with the Indonesian press in 2021, the original 16shop administrator, who claimed that he no longer held this role, revealed that he had another partner who is a developer and was also from Indonesia. The developer was an acquaintance and had been with the administrator since the start of 16shop’s activities.
A threat actor that lacks full DevSecOps nouse is prone to leaving obvious digital footprints online. This was exactly the case when it came to the 16shop developer. After analyzing the domain registration of the live 16shop infrastructure at that time of Group-IB’s investigation in 2021, we found an interesting match with regards to naming conventions.
By pursuing this lead, we discovered the full name of the developer through his Facebook account. Social media account analysis also revealed many other accounts owned by the developer such as YouTube, on which he had posted some videos, and X (formerly known as Twitter).
The developer revealed personal information about himself in his own YouTube videos, including the school he studied at, his age and his appearance at that point in time Group-IB passed all of this information to its law enforcement partners to assist their inquiries.
Impact
Following the culmination of the INTERPOL-coordinated operation, 16shop was shut down and three arrests were made: one of the suspected administrators of the platform in 2022, followed by two suspected facilitators: one in Indonesia, and the other in Japan.
Storyline
How do you go about stopping a multinational phishing kit provider whose scam resources were used to potentially target millions of internet users? Coordinated action involving cybersecurity experts and law enforcement, of course!
Phishing as a service (PaaS) is a scam framework that allows less technically proficient cybercriminals to purchase access to phishing kits, giving them the opportunity to target millions of users across the globe.
16shop was a major PaaS player with a global reach. Kits from this provider were traded, Group-IB’s High-Tech Crime Investigations unit found, from at least November 2017 onwards.
Looking through the shop window
According to data collected by Group-IB experts, more than 150,000 phishing domains, leveraged as part of phishing attacks against users in Germany, Japan, France, the US, and the UK, among others, were created using kits procured from 16shop.
Figure 1. Dashboard of 16shop, revealing scale of operation.
Notably, Group-IB investigators found that 16shop’s developers were able to localize their phishing pages into as many as eight languages, and victims would see phishing content relevant to them depending on their geolocation.
The kits were sold for between $60 and $150, a modest sum, depending on the targeted brand. For example, fake pages mimicking Amazon were offered for sale for $60, while those that targeted users of American Express were more expensive, coming in at $150.
Figure 2. Screenshot from 16shop’s store highlighting different phishing pages and their cost to potential buyers.
Stopping the shopkeeper
16shop’s activities were flagged by an INTERPOL analyst during an ongoing project into cyber threats in the ASEAN region. The international law enforcement organization then engaged regional agencies alongside private sector cybersecurity partners, including Group-IB.
To stop users from buying phishing kits, the most effective way is to stop the storekeeper by halting the operations of the shop. In this case, the best course of action is to take down the entire 16shop platform. The 16shop platform allows threat actors to generate phishing pages and manage their victims with little to none programming capability. The take down of the platform would incapacitates the entire business of the admin and buyers of 16shop.
Like any operation, it has to be quick and without any forewarning. The threat actors would then be caught off guard and leave them with little to no time to make any backups to the compromised victims’ information. Of course, there is no guarantee that they hadn’t got their hands on victims data, but it reduces the likelihood for those unprepared threat actors.
Group-IB’s High-Tech Crime Investigations unit embarked on this takedown journey by first conducting an analysis of all the infrastructure in 16shop’s operations before collecting and parsing through all their digital traces.
Key findings at this stage included all the domains that once hosted the 16shop platform in order to extract domain registrar information, such as email of the registrar, SSL certificates. This led to the discovery of an URL containing the same hostname ‘16shop’ on a different domain in 2021.
This contained information of a nickname that was likely to be the developer of the platform, and was later confirmed in the administrator’s aforecited interview with the Indonesian press. Passive reconnaissance was conducted to gather information about the nickname’s social media profiles, email addresses, education, country, activities online, and the individuals lack of DevSecOps nouse and oversharing in the public domain made it a simple task for Group-IB investigators to discover the true persona of the developer.
Group-IB experts supplemented this with active reconnaissance, which included registering an account on 16shop to understand the dynamics of the platform and gain greater understanding into the business operations, the brands impersonated in phishing kits, and also to collate data about victims.
And justice for all
This information was then passed on to INTERPOL, which took the lead in the ensuing law enforcement operation. A criminal intelligence report was dispatched to the Indonesian National Police’s Directorate of Cyber Crimes, and subsequently led to the arrest in 2022 of a 21-year-old suspected administrator. At the same time, multiple electronic items and luxury vehicles were seized.
Further information sharing efforts eventually led to the arrests of two suspected facilitators of 16shop’s activities. One of these individuals was detained by the Indonesian National Police; the second by the National Police Agency of Japan.
Conclusion
Ever since 2017, when Group-IB first signed a data-sharing agreement with INTERPOL, the company has played a significant role in multiple high-profile operations that have brought down criminal operations and led to the arrests of suspects.
The closure of 16shop was yet another example of how cooperation and data-sharing between private sector cybersecurity companies and international and national law enforcement agencies can truly put a stop to cybercrime. The scale of 16shop’s operations resulted in significant numbers of individuals falling victims to phishing attacks and ensuring that these activities are stopped is at the heart of Group-IB’s core mission.
As a result, Operation Store Shutdown proudly takes its place among the 20 most notable cases solved by Group-IB’s High-Tech Crime Investigations Unit.