Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Phishing Campaign Tied to Amazon Prime Day

Fraudsters Use Phishing Kit Called 16Shop, McAfee Reports
Phishing Campaign Tied to Amazon Prime Day

In the run-up to Amazon Prime Day, some of the company's customers were being targeted by a phishing kit called 16Shop, according to researchers at McAfee.

These phishing attacks, which use a kit called 16Shop, had targeted Apple users in late 2018. This time, Amazon users were targeted in the days leading up to Amazon Prime Day, a sales event taking place Monday and Tuesday, according to McAfee.

See Also: OnDemand | API Protection – The Strategy of Protecting Your APIs

Some Amazon customers across the U.S. and Japan were being targeted by the phishing kit, which starts out by sending a link request to customers asking them to update their Amazon account information, McAfee says.

Phishing for Dollars

An email with an attached PDF file was received by some Amazon users. It attempted to redirect them to a phishing site that tricks users into updating their personal information, including payment and contact details, according to McAfee.

Fake Amazon login page and PHP coding of the phishing kit (Image: McAfee)

In a July 12 blog, McAfee researchers Oliver Devane and Rafael Pena wrote that the attackers were targeting customers ahead of Amazon Prime Day, a 36-hour-long equivalent of Cyber Monday, when the e-commerce giant offers discounts and deals on its numerous products.

In the U.S. alone, the company is believed to have as many as 101 million Amazon Prime customers, according to an analysis by Consumer Intelligence Research Partners.

Like most phishing kits,16Shop emails credit card and account details entered into a spoofed site directly to its authors and stores a local copy in other text files. It also includes a local blacklist, which can block certain IP addresses from accessing the website, according to McAfee.

"This blacklist contains lots of IPs of security companies, including McAfee. The blacklisting prevents malware researchers from accessing the phishing sites," the researchers wrote in their blog.

The activities of 16Shop first came to the McAfee researchers notice in May, when several security blogs published analyses of the kit to show how a new version includes a backdoor that sends user data to its authors.

On closer inspection, security researchers were able to link the source code to the 2018 attack using the kit that targeted Apple users in November. Only this time, the backdoor was added by a second malicious actor and not the original author of the first 16Shop, according to the McAfee analysis.

"In May 2019, we found a new phishing kit that was targeting Amazon account holders. Looking at the code of the kit, you can see it shows several similarities to the 16Shop kit targeting Apple users back in November 2018," Devane and Pena write in their blog.

The researchers discovered close to 200 URLs associated the phishing kit, according to McAfee.

Elusive Past

The McAfee researchers have traced the author of the 16Shop kit to persona named DevilScreaM, who is believed to have created the phishing kit in late 2017.

An active member of the Indonesian Cyber Army, DevilScreaM was also involved in the 2012 defacing of websites led by the group, according to McAfee.

DevilScreaM, whose identity remains unknown, has also been instrumental in creating, an Indonesian site dedicated for hacking tools and are frequented by the members of the Indonesian Cyber Army, according to McAfee.

Apart from creating 16Shop, DevilScreaM is also known to have authored two e-books on website hacking and penetration testing, according to the analysis. The McAfee researchers wrote that this hacker continues to have an unabated social media presence, with regular postings in GitHub and Facebook group that he has created to sell licenses and support.

"We checked the group in mid-June 2019 and it now has over 300 members and over 200 posts," the McAfee researchers say.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.