rm -rf lol

Appearance

16Shop Victim Analysis

The most popular commercial phishing kit being detected by PhishingReel at the moment is 16Shop, making up nearly 40% of all detections. I thought it may be interesting to do some analysis on the victim log data I have collected from over the past week.

If you are not familiar with 16Shop or what it is, I recommend you have a read through this thread by @JCyberSec_ which gives a great overview of what it is and its history.

I've made this analysis from a sample of the total data set, consisting of victim information from just over 100 unique deployments from the past week. The data scraped consists of IP/geo/device information for those which have visited the phishing site, entered credentials or even supplied bank and credit card information.

I have parsed this data and will be focusing on analysing where the victim has entered credentials to the phishing page. Now bear in mind not all of these may be genuine, some may have decided to instead leave a "message" to the owner of the phishing page- however, there is no way to determine this, so numbers are presented as is. 👨‍💻

After cleansing the data and removing duplicates, I produced some basic statistics.

Unique domains105
Countries135
IP addresses13
ISP's147
IP's13735
Total victims logged13936

   

Victim geolocation

From an initial eyeball of the victim data it was apparent that the US was the most targeted country out of these deployments, making up almost 60% of all victims. I took the victim data and extrapolated the below graph of the top 10 countries by victim count.

Click details for full results.16shop-victim-analysis-bins_by_country

NameCount
United States8499
Australia1502
Japan656
United Kingdom378
Canada342
Spain259
Germany243
Mexico187
Brazil155
Italy146
Belgium127
Netherlands110
Sweden89
France72
Portugal69
Colombia66
Ireland61
Puerto Rico57
Indonesia48
Norway40
Switzerland37
Argentina36
Philippines33
Peru30
India29
Greece28
Venezuela27
Saudi Arabia26
Thailand25
Denmark23
Singapore22
Chile21
Austria21
Dominican Republic21
Ecuador20
New Zealand19
Turkey18
Finland17
Cyprus14
Malaysia14
Costa Rica13
Romania13
United Arab Emirates13
Malta11
El Salvador11
Uruguay10
Egypt9
Hong Kong9
Israel9
Bahamas9
Nigeria9
South Africa8
South Korea8
Luxembourg8
Guatemala8
Trinidad and Tobago7
Qatar7
Kuwait6
Taiwan6
Estonia6
Bosnia and Herzegovina6
Serbia5
Albania5
U.S. Virgin Islands5
Morocco5
Panama5
Vietnam5
Bolivia5
Croatia5
Curaçao4
Hungary4
China4
Angola4
North Macedonia4
Paraguay3
Belize3
Slovenia3
Slovakia3
Saint Vincent and the Grenadines3
Honduras3
Russia3
Sri Lanka3
Guam3
French Guiana2
Algeria2
Suriname2
Bahrain2
Ukraine2
Jamaica2
Senegal2
Pakistan2
Oman2
Kenya2
Lebanon2
Cameroon2
Cayman Islands2
Georgia2
Czechia2
Iraq2
Tanzania1
Turks and Caicos Islands1
Syria1
Seychelles1
Jersey1
Poland1
Andorra1
Anguilla1
Antigua and Barbuda1
Aruba1
Azerbaijan1
Bangladesh1
Barbados1
Bonaire, Sint Eustatius, and Saba1
Brunei1
Ghana1
Gibraltar1
Guernsey1
Guyana1
Hashemite Kingdom of Jordan1
Iceland1
Iran1
Isle of Man1
Latvia1
Liberia1
Martinique1
Mauritius1
Montenegro1
Nepal1
New Caledonia1
Nicaragua1
Northern Mariana Islands1
Palau1
Saint Lucia1
Zimbabwe1

US victim analysis

Out of the US victims it was also clear a vast majority of them were accessing these phishing pages via mobile devices. 📲 This is not entirely surprising, as use of mobile devices to browse the web continues to increase. It is also generally being harder for mobile users to discern legitimate and malicious websites within a mobile browser- especially when these kits are responsive/"mobile friendly".

16shop-victim-analysis-device_pie_chart

A top 10 of the ISP information shows these are primarily from consumer home and mobile internet providers.

ISPCount
Comcast Cable Communications, LLC1412
Charter Communications1379
Verizon Wireless817
AT&T Corp.762
T-Mobile USA, Inc.600
AT&T Mobility LLC583
Verizon Business435
Sprint Communications, Inc.315
Cox Communications Inc.290
CenturyLink Communications, LLC252

From looking at the less common ISP and IP information, it's also possible to identify some potential victims from particular locations or businesses. Some of these included individuals located at:

  • Decatur Manor Healthcare, a care facility for the chronically or mentally ill.
  • University of Texas Medical Branch
  • University of Arkansas for Medical Sciences
  • Acucraft Fireplaces, a luxury fireplace maker based in Minnesota
  • Bickerstaff Parham LLC, a real estate firm
  • Cornell University

The victim logs contained data on those which had supplied bank details, however, these are not able to be correlated with login activity. From the data collected it was evident that bank details had been provided 3389 times with (unsurprisingly) the majority of these details originating from the US.

Click details for full results.

16shop-victim-analysis-bins_by_country

CountryCount
United States2277
Japan176
United Kingdom121
Australia112
Spain80
Mexico57
Italy56
Canada48
Brazil37
Germany32
Sweden30
Colombia19
Norway19
Portugal17
Puerto Rico15
Belgium15
Philippines14
France14
Ireland13
Argentina11
Indonesia10
Denmark9
Saudi Arabia8
Netherlands7
Switzerland7
Greece7
El Salvador7
Venezuela7
Chile7
Finland6
Singapore6
Ecuador5
Dominican Republic5
Trinidad and Tobago5
Israel5
Cyprus5
Serbia5
Romania5
Uruguay4
Bahamas4
New Zealand4
Nigeria4
Saint Vincent and the Grenadines3
Peru3
Malta3
South Korea3
United Arab Emirates3
Egypt3
Kuwait3
3
Costa Rica3
Croatia3
Estonia3
Curaçao3
India3
Guatemala2
Senegal2
Czechia2
Sri Lanka2
Hong Kong2
Angola2
Taiwan2
Bolivia2
Thailand2
Guam2
Paraguay2
Turkey2
U.S. Virgin Islands2
North Macedonia2
Malaysia2
Luxembourg2
Antigua and Barbuda1
Algeria1
Austria1
Albania1
South Africa1
Georgia1
Honduras1
Seychelles1
Guernsey1
Kenya1
Saint Lucia1
Russia1
Qatar1
Bahrain1
Bonaire, Sint Eustatius, and Saba1
Hungary1
Cameroon1
Iceland1
Cayman Islands1
Nepal1
Jamaica1
Slovenia1
Northern Mariana Islands1

16shop-victim-analysis-bins_by_bank

    It was also possible to produce a top 10 of banks whose customers had fell victim to these phishing sites.

During analysis it became clear there were certain similarities between the victim logs.

My focus had been on analysing victim data where the user had entered sensitive information. However, all clicks/visits to the sites are also logged, regardless of if the user has entered information at any point. A common thread between a large portion of these deployments were the first few visits.

From looking at the first visitor from each deployment, almost 40% came from Indonesian IP addresses before then logging US victims or victims based in other geolocations. This would indicate a portion of the threat actors "test" their deployment when it's live, before sending out phishing/smishing to their intended victims. It also evidences that the larger customer base for 16Shop is based in Indonesia.

Some of these "visitors" can be tracked across several domains, indicating the same threat actor was behind it's creation.

DomainIP AddressBrowserOSISP
amazon.accountalert01.com110.136.88.251ChromeWindows 10PT Telkom Indonesia
amazon.notificationalertappsdys908239d.tecxies.com110.136.88.251FirefoxWindows 10PT Telkom Indonesia
asd-paypal124-help1.ga110.137.112.18FirefoxWindows 10PT Telkom Indonesia
manage-account.paypalinsc.com110.137.220.119ChromeWindows 10PT Telkom Indonesia
websecure-mailupdate-account.verification.kloutscormnvr.com110.138.150.92ChromeWindows 10PT Telkom Indonesia
websecure.account-verification.myloveyouflo.com110.138.151.198ChromeWindows 10
update-amazon.com.serv01-updateamazon.com110.138.96.172ChromeWindows 10PT Telkom Indonesia
sign-ins-aces2try-phaypal1.com112.78.180.121ChromeWindows 10Biznet ISP
amzaon.com.verificationcentrehomesupport.hyeoapld.com114.122.70.144ChromeWindows 10PT. Telekomunikasi Selular Indonesia
limited.paypalservice.customer-support.it.heasads.com114.124.139.210ChromeWindows 10PT. Telekomunikasi Selular Indonesia
cslivesupport.manage-appservice.com114.124.165.246FirefoxWindows 10PT. Telekomunikasi Selular Indonesia
security-verification.fashionablemidnight.com114.125.12.110ChromeWindows 10PT. Telekomunikasi Selular Indonesia
signin-webverifyacc-vg9eapple.serveusers.com125.161.107.254ChromeWindows 7PT Telkom Indonesia
cgs-informationupdate.apps.com.snezenieea.com125.161.137.118Handheld BrowserAndroidPT Telkom Indonesia
secure01-amazon.serveirc.com125.167.50.218ChromeWindows 10PT Telkom Indonesia
cg-summary.verivicacionlockedappservice.com140.213.15.132Handheld BrowseriPhonePT XL Axiata
notice-applestoremanagers.gheafem.com180.241.152.234ChromeWindows 10PT Telkom Indonesia
manage-scure-login.acc-brsae.com180.241.161.183ChromeWindows 10PT Telkom Indonesia
appleid.apple.com-noreply-informations.186341735184331.org180.241.45.178ChromeWindows 10PT Telkom Indonesia
signin.secure.account.support.center.tld100.tstrr11.com180.242.235.36ChromeWindows 10PT Telkom Indonesia
manageaccount-appleid.com.stokestrategy.com180.247.45.136ChromeWindows 10PT Telkom Indonesia
service.verification-accountid.appsidga.com180.248.123.152Handheld BrowseriPhonePT Telkom Indonesia
service-account.usmislead.com180.251.2.158ChromeWindows 10PT Telekomunikasi Indonesia
amazon-secured-signed-in-uknown-access-from-unauthorise-device.avshgbupdsko.com180.251.58.144ChromeWindows 10PT Telkom Indonesia
service.account.costumecharge.business182.1.13.46ChromeWindows 10PT. Telekomunikasi Selular Indonesia
service.account.dedicatejurisdiction.com182.1.13.46ChromeWindows 10PT. Telekomunikasi Selular Indonesia
service.account.ealogoeitai.com182.1.15.157ChromeWindows 10PT. Telekomunikasi Selular Indonesia
security-verification.flexiblewire.info182.1.16.90ChromeWindows 10PT. Telekomunikasi Selular Indonesia
amazon.verificationalertnotificationappshomeen.yupxis.com182.1.75.30ChromeWindows 10PT. Telekomunikasi Selular Indonesia
en.amazon.verificationalertaccountaiueugdhaasddxs.fafanms.com182.1.75.30ChromeWindows 10PT. Telekomunikasi Selular Indonesia
en.secureaccountlimited-paypal.com182.253.219.4FirefoxWindows 10Biznet ISP
manageamazonaccountservicemmzjftsass.vkjnkwd.com36.68.23.62ChromeWindows 10PT Telkom Indonesia
livesupportcsdatacenter.mertgthea.com36.68.4.104FirefoxWindows 10PT Telkom Indonesia
manage.unlock-services.accounts.myappleid.pellocks.com36.69.4.51FirefoxWindows 10PT Telekomunikasi Indonesia
amazon.com-webserviceincresolvedetaild.amdsupportcustomers.com36.75.238.40FirefoxWindows 10PT Telekomunikasi Indonesia
app.sign.in.amazon.jp.langh-jp.j4r.p.wafoainc.com36.76.167.184ChromeWindows 10PT Telkom Indonesia
sign-account-paypal-configure.coreymniez.com36.84.227.169ChromeWindows 10PT Telkom Indonesia
amazon-reportdaily-service.theworkpc.com36.85.217.57FirefoxWindows 10PT Telkom Indonesia
secureserver-amazonredirectwebview.kozow.com36.85.218.204FirefoxWindows 10PT Telkom Indonesia
amazon.com-limitedcenter.webserviceidrecoverycentersupporte.com36.85.219.37FirefoxWindows 10PT Telkom Indonesia
mail-helpdeskupdateaccountserv8091.upgandegan.com36.88.126.200ChromeWindows 10PT Telkom Indonesia
intl-costumer.limited.6y123-sys.info36.90.159.35ChromeWindows 10PT Telkom Indonesia
user.auth-recover.limited-account.online.pply.534-tyr.net36.90.159.35ChromeWindows 10PT Telkom Indonesia
user.limited-account.reactivate.97ter.com36.90.159.35ChromeWindows 10PT Telkom Indonesia
support.mailapp.secuirity-verifikey.ascavc.com36.90.76.191Handheld BrowseriPhonePT Telkom Indonesia
safeandmanage.accinfo-formlimitation2020.tembelekgarings.com36.90.88.240ChromeWindows 10PT Telkom Indonesia

 

In total there were 38246 visits recorded with 29551 of those being unique. With the total victim count, this shows these 16Shop kits have had an average 47% success rate. 😰

   

Summary of findings

60% of all victims are US based

The vast majority of victims were using mobile devices

40% of deployments appear to originate from Indonesia

Deployments have an average 47% click to phish ratio

These results go to show that commercial kits like 16Shop are highly targeted, effective and simple to use. This effectively lowers the bar for potential fraudsters wanting to make a quick buck.