Phishers the world over have been patronizing and utilizing the 16shop phishing kit since at least 2018. The kit’s users have been known to steal data and money from the customers of some of today’s biggest brands, including Amazon, American Express, and PayPal.

Last month, INTERPOL reported that Indonesian and Japanese law enforcers finally nabbed two of 16shop’s operators. Trend Micro published a detailed study of 16shop’s operations, along with a list of indicators of compromise (IoCs) comprising 29 domains and eight IP addresses.

The Threat Intelligence Platform (TIP) research team expanded the current list of IoCs to check for signs, if any, of 16shop’s continued online presence and operation. Our DNS deep dive led to the discovery of:

• Five unreported IP addresses to which four of the domains identified as IoCs resolved, two of which are currently detected by various engines as malware hosts
• 30 domains hosted on connected IP addresses, one of which is classified as malicious based on a bulk malware check
• 18,688 domains containing the brand names being abused in the campaigns Trend Micro analyzed, 337 of which are already considered malicious based on a bulk malware check

A sample of the additional artifacts obtained from our analysis is available for download from our website.

16shop Infrastructure According to the IoCs

The 16shop phishing kit operators reportedly utilized at least 37 web properties for distribution. According to the results of our TIP lookups:

• Only six of the 29 domains identified as IoCs remained active to this day.
• Each active domain fell under the purview of a different registrar.
• The oldest (5g-att[.]co) was created on 12 August 2021 while the newest (16shop[.]online) was created on 14 August 2023.
• One of the domains (16shop[.]us) had a publicly avilable registrant name on record.
• The six domains were spread across three registrant countries. Four were registered in the U.S. and one each in Canada and Iceland.
• Seven of the IP addresses identified as IoCs originated from Singapore with DigitalOcean LLC as their Internet service provider (ISP) while one pointed to the Czech Republic with Josef Skoda.

None of the domains’ registrant countries coincided with the IP addresses’ geolocations.

Unreported 16shop Phishing Kit Artifacts

We extended the reach of our TIP lookups to search for other 16shop connections that may not have been identified to date. We found out that four of the domains identified as IoCs continued to resolve to five IP addresses that aren’t part of the current list. Two of them—15[.]197[.]130[.]221 and 199[.]59[.]243[.]224—are already being detected as malicious based on malware checks.

The geolocation countries of the five newly discovered IP address resolutions were more consistent with the domain IoCs’ registrant countries. Four of them pointed to the U.S. as their origin while one originated from Canada. None of them, however, shared the IP IoCs’ ISPs, as four of them were instead managed by Amazon and one by Web-hosting.com.

We also discovered that three of the IP addresses (one already identified as an IoC and two newly found resolutions) were seemingly dedicated. Altogether, they hosted 30 domains, one of which—myfqrrf[.]cn—is already classified as malicious.

Further scrutiny of the WHOIS records of the domains identified as IoCs earlier revealed that 16shop[.]us had a publicly viewable registrant name. A historical WHOIS search for other domains that may have the same registrant name on record led to the discovery of nine such properties. Only one of them, apart from the 16shop IoC, had a current WHOIS record. The domain shins-splints[.]co[.]uk, created on 20 June 2023, was administered by Namecheap, Inc.

A closer look at the domain IoCs also allowed us to identify seven widely patronized brands, namely:

• Verizon (verizon)
• T-Mobile (tmobile)
• Outlook (outlook)
• Sprint (sprint)
• Netsuite (netsuite)
• Apple (apple.)
• AT&T (-att.)

We used variants of their brand names akin to those used in the 16shop IoCs—the text strings in parentheses—to search for unnamed web properties that could have been or be weaponized to victimize other users in malicious campaigns. We limited our lookups to only include those created just this year. We also made sure to include other characters that appeared in the domains identified as IoCs to reduce false positives.

Our domain search uncovered 18,688 domains, 337 of which are already being detected as malicious. We chose not to analyze the netsuite-containing domains since netsuite[.]com’s WHOIS record details have been redacted. Note, too, that the strings tmobile and sprint both appeared in some of the brand-containing domains since their merger. Based on WHOIS record comparisons, only 39 of the 18,328 domains containing the strings verizon, tmobile and/or sprint, outlook, apple., and -att. could be publicly attributed to the four companies.

Our 16shop phishing kit IoC expansion analysis revealed that despite the recent capture of two of the tool operators, some of their web properties and possibly connected artifacts remain active to date. The investigation also unveiled thousands of domains that could be weaponized to launch impersonation attacks targeting Verizon, T-Mobile (including Sprint), Microsoft Outlook, Netsuite, Apple, and AT&T and their customers.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.