New research has revealed the creator of the commercially
available 16Shop phishing kit is double dipping and is surreptitiously capturing
the information stolen by his customers.
Akamai said the alleged developer, an Indonesian they
believe goes by handle Riswanda, has no qualms about taking advantage of the
criminals who license his phishing kit and has installed a backdoor that makes
a copy of the data being stolen and then storing it on Telegram, said Akamai
researcher Amiram Cohen.
The backdoor was discovered while researchers sifted through
the malware’s code and came across this snippet extract(valid($valid($image($data,5126))));, which were hidden in
an American Express image using steganography. This level of obfuscation leads
Cohen to believe that those using this kit are they themselves being ripped off.
“The highly obfuscated code collects information for all of the forms visited by the victim, and no matter what storage and delivery options are selected by the 16Shop operator, the victim’s data is siphoned off and sent to the Telegram bot via API calls,” Cohen reported.
The phishing kit itself is described by Cohen as “highly
sophisticated” capable of altering its layout and presentation for mobile and
desktop victims and supports 10 languages. And while Riswanda has no problems
stealing from his customers, he makes sure they cannot copy his malware by
installing code protections stop it from operating if the license is
invalidated.
Gloss