Interpol takes down phishing-as-a-service platform used by 70,000 people

The phishing-as-a-service platform 16shop was taken down Tuesday as part of a global investigation led by Interpol.

Law enforcement arrested a 21-year-old Indonesian man accused of administering the platform, along with two other individuals involved in its operation — one in Indonesia and one in Japan. The police also confiscated electronic devices and a number of luxury items belonging to the suspects.

According to a report from cybersecurity firm Group-IB, which was involved in the takedown, 16shop hacking tools had been traded on cybercriminal underground forums since at least November 2017 and were sold to more than 70,000 users in 43 countries. These tools helped hackers deceive internet users through email scams and exploit their personal or banking information to extract money.

Phishing kits were designed to steal credentials and payment details from users of popular services such as Apple, PayPal, American Express, Amazon, and Cash App. They were sold at a relatively modest cost, ranging from $60 to $150, depending on the targeted brand. The Amazon kit, for example, was nearly $90 cheaper than the American Express kit.

More than 150,000 phishing domains have been created using 16shop phishing kits, according to an analysis by Group-IB, which is based in Singapore. The platform’s customers targeted users in Germany, Japan, France, the U.S., the U.K., Thailand, and other countries. Although the suspects lived in Asia, 16shop’s servers were hosted by a company based in the U.S.

Phishing-as-a-service tools are particularly dangerous because they automate cyberattacks, allowing “any person to leverage this type of service to launch a phishing attack with a few clicks,” Interpol said in a statement.

Even cyber criminals with modest programming skills can deploy phishing pages quickly and in large numbers with the help of phishing-as-a-service kits, Group-IB said.