According to BleepingComputer, the developer of the 16Shop phishing platform has added a new component that targets users of the popular Cash App mobile payment service. Deployment of the new 16Shop product started as soon as it became available, luring potential victims into providing sensitive details that would give fraudsters access to the account and the associated payment information. 16Shop is a complex phishing kit from a developer known as DevilScream, who set up a protection mechanism against unlicensed use and research activity.

The kit is commercially available and localized in multiple languages. Until recently, it provided code and templates to steal login credentials and payment card details for PayPal, Amazon, Apple, and American Express. Towards the end of February, though, a new option became available in the 16Shop store with a $70 tag that targets the Cash App accounts. The app is immensely popular, with more than 10 million installations on Android and over 1.6 million ratings giving it 4.7 out of 5 stars in the App Store. Security researchers from cybersecurity company ZeroFOX obtained the new Cash App phishing kit on February 25, which was just a day after the final compile time.

It appears that fraudsters rushed to get it and to deploy it as researchers spotted multiple deployments within a day from 16Shop offering the Cash App phishing kit. This is a strong indication that the fraud store has plenty of customers that trust 16Shop enough to jump at every opportunity it provides to steal sensitive information from widespread services. ZeroFOX says that the kit has the same base code as the others, and the template mimics the legitimate Cash App site and login workflow as closely as possible.

Getting victims to the phishing page is done through emails and SMS messages that alert on a security issue that led to locking the Cash App account. A click on the fraudulent link triggers a series of checks before loading the phishing page. The visitor’s IP address, their user agent, and ISP details are collected and processed to determine an association with an automated action (security checks, web crawlers) or a potential victim.

DevThe defenses against bots and indexing activity are present in the Cash App phishing kit as in the other 16Shop kits. The image below shows how the PHP code calls the antibot service, which provides blocking controls for bots and web crawlers. If the victim takes the bait and provides their email address only to see a security notification about unusual activity that led to locking the account.

To regain access, the victim has to provide sensitive details “to confirm identity.” This includes the following:

  • Cash App PIN
  • email address
  • password
  • full name and address
  • Social Security Number
  • payment card details
  • an identification document (state ID, driver’s license)


SpearTip’s experts recommend users be wary of what you’re clicking on the internet. Social engineering is the main way threat actors can take advantage of users. By posing as popular applications or sites, they look to fool users who are not familiar with the platforms.

Cash App is an online payment service where important financial credentials are stored in order for users to successfully utilize the app correctly. Understand where your important information is held and ensure you’re logging in to legitimate platforms with multi-factor authentication. The above information being requested by the threat actors will almost never be requested to log in to an application or program.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you are experiencing a breach, please call our Security Operations Center at 833.997.7327.