Interpol Busts Phishing-as-a-Service Platform ’16Shop,’ Leading to 3 Arrests

Interpol has announced the takedown of a phishing-as-a-service (PhaaS) platform called 16Shop, in addition to the arrests of three individuals in Indonesia and Japan.

16Shop specialized in the sales of phishing kits that other cybercriminals can purchase to mount phishing attacks on a large scale, ultimately facilitating the theft of credentials and payment details from users of popular services such as Apple, PayPal, American Express, Amazon, and Cash App, among others.

“Victims typically receive an email with a pdf file or link that redirects to a site requesting the victims’ credit card or other personally identifiable information,” Interpol said. “This information is then stolen and used to extract money from the victims.”

No less than 70,000 users across 43 countries are estimated to have been compromised via services offered on 16Shop.

The law enforcement operation has also led to the arrest of the site’s administrator, a 21-year-old Indonesian national, along with seizing electronic items and several luxury vehicles in the process. Two other suspected facilitators, one each in Indonesia and Japan, have been apprehended based on additional intelligence.

Singapore-based cybersecurity firm Group-IB, which partook in the efforts, said over 150,000 phishing domains were created using the phishing kits to target users in Germany, Japan, France, the U.S., the U.K., and Thailand, among others.

The phishing kits were peddled on underground forums for anywhere between $60 and $150 based on the brand impersonated since at least November 2017, with the bogus pages supporting more than eight languages to serve content based on the victim’s geolocation.

“Phishing kits represent archive files with a set of scripts that ensure the work of a phishing website,” the company said. “This toolset enables cybercriminals with modest programming skills to deploy phishing pages quickly and in large numbers, often using them as substitutes for each other.”

The disclosure comes as the international police organization said it has seized more than €2 million in connection with a crackdown on West African organized crime dubbed Operation Jackal.

To that end, the cross-border exercise has resulted in the blockade of 208 bank accounts linked to the illicit proceeds of online financial crime, 103 arrests, and the identification of 1,110 suspects.

“Black Axe, and an increasing number of other West African organized crime syndicates, is a violent mafia-style gang renowned for cyber-enabled financial fraud, in particular business email compromise schemes, romance scams, inheritance scams, credit card fraud, tax fraud, advance payment scams and money laundering,” the agency noted.

The development also follows the shutdown of a bulletproof hosting service called Lolek Hosted undertaken by the U.S. government as part of a coordinated law enforcement action in partnership with Poland.