INTERPOL shutters '16shop' phishing-as-a-service outfit

Alleged administrator cuffed in Indonesia, associate arrested in Japan, accused of selling fake Amazons for $60

INTERPOL has revealed a successful investigation into a phishing-as-a-service operation named "16shop" with arrests of alleged operators made in Indonesia and Japan and the platform shut down.

The international police co-operation org revealed on Tuesday that a research project investigating cyber threats in the ten-nation Association of Southeast Asian Nations (ASEAN) bloc detected the existence of 16shop, which it characterized as a vendor of "phishing kits" sold to cyber crims.

INTERPOL assessed the kits as having been used to compromise 70,000 users in 43 countries.

The operation against 16Shop involved intelligence-sharing between the INTERPOL General Secretariat's cyber crime directorate, plus authorities in Indonesia, Japan and the United States. Private infosec outfits including Japan's Cyber Defense Institute, Singapore's Group-IB, Palo Alto Networks Unit 42 and Trend Micro also weighed in, with support from cyber crime investigation platform Cybertoolbelt.

Those efforts saw Indonesian National Police's Directorate of Cyber Crimes last month arrest a 21-year-old man suspected as being the admin of 16Shop. Electronic items and "several luxury vehicles" were also seized.

Japanese authorities arrested another man allegedly connected to 16shop.

Singaporean infosec outfit Group-IB's analysis of 16Shop led it to assert that over 150,000 phishing domains were created using the outfit's phishing kits.

The infosec firm believes the kits in question had been traded on the cyber criminal underground since at least November 2017, at prices ranging from $60 to $150.

"Fake pages mimicking Amazon were offered for $60, and phishing pages targeting the users of American Express for $150," the group told The Register by email.

The kits used eight languages and geolocation, so that putative victims saw localized content.

International collaboration was required because the phishing-as-a-service vendor hosted some of its operations on servers tended by a US-based company. The FBI therefore helped to secure information shared with Indonesian investigators.

Meanwhile, in Vietnam …

In a busy week for Asian infosec, Cisco Talos has spotted a Vietnam-based ransomware gang.

The unnamed group uses a variant of ransomware called "Yashma," which is a rebranded version of the "Chaos" ransomware. The gang disguises its ransomware as the notorious WannaCry, in what Talos thinks is an attempt to obfuscate the threat actor's identity and confuse incident responders.

But the group betrays its origins in a GitHub repo titled "nguyenvietphat" – a moniker that references a legitimate Vietnamese business. Cisco's researchers also found artefacts suggesting the gang prefers to be contacted during Vietnamese business hours.

While the group appears to be based in Vietnam, it has written ransom notes in English, Bulgarian, Vietnamese, Simplified Chinese and Traditional Chinese. That polyglot collection suggests it intends to seek targets in many nations.

The group is nasty: Cisco Talos's assessment of its ransomware is that it wipes the contents of the original unencrypted files, making life harder for those who clean up after ransomware attacks. ®

More about


Send us news

Other stories you might like