What goes around comes around: Researchers find backdoor in pirated Apple phishing kit

Researchers at cybersecurity company Akamai Technologies have found a backdoor in a bootlegged version of 16Shop.

Criminals accustomed to planting backdoors in software may be getting a taste of their own medicine.

Researchers at cybersecurity company Akamai Technologies have found a backdoor in a bootlegged version of 16Shop, a popular phishing kit marketed to criminals targeting Apple users. The data leaks to a channel on the encrypted messaging service Telegram, meaning a victim’s data could be stolen by anyone using the pirated kit, but also by anyone accessing the channel.

“Someone spent a lot of time and effort to build a really good toolkit and to get more money out of that” by planting the backdoor, said Or Katz, principal lead security researcher at Akamai, which published research on 16Shop on Tuesday. The phishing kit consists of hundreds of files, including login pages that spoof targeted platforms.

Industry analysts have been tracking 16Shop since at least last year, and have traced the kit’s development to an Indonesian person known as Riswanda or ‘devilscream.’ While Riswanda may have questionable operational security, the kit’s success has come from giving its users the ability to avoid detection. For example, 16Shop can block a list of IP addresses communicating with it in an attempt to avoid the prying eyes of security researchers.


16Shop has an estimated market price of $50, according to Steve Ragan, a security researcher at Akamai. While it is unclear how many victims the phishing gear has claimed, it is being actively maintained, sold, and reused by criminals, according to Akamai.

“It’s a true multi-level kit, running different stages for different brands, depending on the information the victim provides,” Katz and his colleague Amiram Cohen wrote in a blog post. “It has the ability to change its layout and presentation depending on platform, so mobile users will see a website tailored to their device, while desktop users see something better suited to their situation.”

The data that 16Shop can funnel from a user is manifold; a victim’s Apple credentials are the first in a series of potential targets. By activating other features, an attacker could try to phish users of Gmail, Hotmail, and Yahoo, according to Akamai. A third stage of the attack spoofs the “Verified by Visa” login page to try to swipe users’ credit card data.  The attacker can also ask a U.S. target victim for a Social Security number. The perpetrator can transmit or store the stolen data at each stage, or save it all for one data dump.

For Katz, 16Shop is an example of the “industrialism of phishing” – a way for criminals to scale malicious lures that goes beyond the aimless spraying used in less sophisticated approaches. And for that reason, he said, phishing kits like 16Shop cannot be ignored.

“In a way, phishing is the first step in a chain of a much more sophisticated attack that can happen,” Katz told CyberScoop. “The most important thing we can do as a security community is to create much more awareness around those types of attacks.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts