Under Attack? Breach Response Hotline: Call 833.997.7327 (US/CAN)

Phishing Kit

SpearTip | March 3rd, 2021

 

According to BleepingComputer, the developer of the 16Shop phishing platform has added a new component that targets users of the popular Cash App mobile payment service using a phishing kit. Deployment of the new 16Shop product started as soon as it became available, luring potential victims into providing sensitive details that would give fraudsters access to the account and the associated payment information. 16Shop is a complex phishing kit from a developer known as DevilScream, who set up a protection mechanism against unlicensed use and research activity.

Details of the Phishing Kit

The phishing kit is commercially available and localized in multiple languages. Until recently, it provided code and templates to steal login credentials and payment card details for PayPal, Amazon, Apple, and American Express. Towards the end of February, though, a new option became available in the 16Shop store with a $70 tag that targets the Cash App accounts. The app is immensely popular, with more than 10 million installations on Android and over 1.6 million ratings giving it 4.7 out of 5 stars in the App Store. Security researchers from cybersecurity company ZeroFOX obtained the new Cash App phishing kit on February 25, which was just a day after the final compile time.

It appears that fraudsters rushed to get it and to deploy it as researchers spotted multiple deployments within a day from 16Shop offering the Cash App phishing kit. This is a strong indication that the fraud store has plenty of customers who trust 16Shop enough to jump at every opportunity it provides to steal sensitive information from widespread services. ZeroFOX says that the kit has the same base code as the others, and the template mimics the legitimate Cash App site and login workflow as closely as possible.

Getting victims to the phishing page is done through emails and SMS messages that alert of a security issue that led to locking the Cash App account. A click on the fraudulent link triggers a series of checks before loading the phishing page. The visitor’s IP address, user agent, and ISP details are collected and processed to determine an association with an automated action (security checks, web crawlers) or a potential victim.

DevThe defenses against bots and indexing activity are present in the Cash App phishing kit as in the other 16Shop kits. The image below shows how the PHP code calls the antibot service, which provides blocking controls for bots and web crawlers. If the victim takes the bait and provides their email address only to see a security notification about unusual activity that led to locking the account.

To regain access, the victim has to provide sensitive details “to confirm identity.” This includes the following:

  • Cash App PIN
  • email address
  • password
  • full name and address
  • Social Security Number
  • payment card details
  • an identification document (state ID, driver’s license)

SpearTip’s experts recommend users be wary of what they’re clicking on the internet. Social engineering is the main way threat actors can take advantage of users. By posing as popular applications or sites, they look to fool users who are not familiar with the platforms.

Cash App is an online payment service where important financial credentials are stored in order for users to successfully utilize the app correctly. Understand where your important information is held and ensure you’re logging in to legitimate platforms with multi-factor authentication. The above information being requested by the threat actors will almost never be requested to log in to an application or program.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US-based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you are experiencing a breach, please call our Security Operations Center at 833.997.7327.

Categories

Connect With Us

Featured Articles

Protecting Space Satellites
Protecting Space Satellites Using Cybersecurity
25 March 2024
Ransomware-as-a-Service
Growing Cyber Threat: Ransomware-as-a-Service
11 March 2024
Information Security Threats
10 Information Security Threats IT Teams Need To Know
08 March 2024
Data Protection
Companies Investing More Into Data Protection
06 March 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.