# Happy 16shop hunting ## What is 16shop? 16shop is an infamous phishing kit targets Apple users. - ref. - [Analysis of Phishing mail. Drone bought from Apple.](http://netsecops.info/bought-a-drone-from-apple-really/) - [Indonesian Spam Communities](http://www.deependresearch.org/2018/09/indonesian-spam-communities.html) It's a known fact that you can confirm information of an owner who runs a 16shop phishing website by sending a HTTP request to `16shop[.]online`. ```shell= $ http -f POST http://16shop.online/api/setting/get_setting.php domain=DOMAIN ``` Can I automate 16shop hunting tasks? (gathering 16shop domains, fetching owner's information, etc.) Let's try it! ## Gathering phishy domains Let's grab phishy domains which contain `apple`. ```shell= $ curl -s "https://urlscan.io/api/v1/search/?q=PhishTank%20OR%20OpenPhish%20OR%20CertStream-Suspicious" | jq -r '.results[] | select(.page.domain | match("apple")) | .page.domain' idapple-maps[.]com www.idapple-maps[.]com appleid.apple.payment-account218[.]com www.appleid.apple.com.app-stores[.]me appleid.apple.com.app-stores[.]me manage-account-locked-services.apple-accountconfirmation[.]com apple-accountconfirmation[.]com appleid.apple.servicemyaccount-resulotioncentrebilling[.]com ``` OK, let's save domains as `domains.txt`. Some of them might be 16shop domains. ```shell= $ curl -s "https://urlscan.io/api/v1/search/?q=PhishTank%20OR%20OpenPhish%20OR%20CertStream-Suspicious" | jq -r '.results[] | select(.page.domain | match("apple")) | .page.domain' > domains.txt ``` ## Fetching owner's information Let's write a Ruby script for checking & fetching 16shop information. ```ruby require "json" require "httpx" url = "http://16shop.online/api/setting/get_setting.php" domains = File.readlines("domains.txt").map(&:chomp) domains.each do |domain| res = HTTPX.post(url, form: { domain: domain }) json = JSON.parse(res.body.to_s) p json end ``` ```shell $ ruby test.rb {"email_result"=>nil, "lock_platform"=>nil, "sender_mail"=>nil, "site_parameter"=>nil, "site_password"=>nil, "site_param_on"=>nil, "site_pass_on"=>nil, "send_login"=>nil, "mix_result"=>nil, "get_photo"=>nil, "get_vbv"=>nil,"get_email"=>nil, "get_bank"=>nil, "double_cc"=>nil, "onetime"=>nil, "encrypt_html"=>nil, "block_host"=>nil, "block_ua"=>nil, "block_iprange"=>nil, "block_isp"=>nil, "block_vpn"=>nil, "theme"=>nil, "letter"=>nil} {"email_result"=>nil, "lock_platform"=>nil, "sender_mail"=>nil, "site_parameter"=>nil, "site_password"=>nil, "site_param_on"=>nil, "site_pass_on"=>nil, "send_login"=>nil, "mix_result"=>nil, "get_photo"=>nil, "get_vbv"=>nil,"get_email"=>nil, "get_bank"=>nil, "double_cc"=>nil, "onetime"=>nil, "encrypt_html"=>nil, "block_host"=>nil, "block_ua"=>nil, "block_iprange"=>nil, "block_isp"=>nil, "block_vpn"=>nil, "theme"=>nil, "letter"=>nil} {"email_result"=>nil, "lock_platform"=>nil, "sender_mail"=>nil, "site_parameter"=>nil, "site_password"=>nil, "site_param_on"=>nil, "site_pass_on"=>nil, "send_login"=>nil, "mix_result"=>nil, "get_photo"=>nil, "get_vbv"=>nil,"get_email"=>nil, "get_bank"=>nil, "double_cc"=>nil, "onetime"=>nil, "encrypt_html"=>nil, "block_host"=>nil, "block_ua"=>nil, "block_iprange"=>nil, "block_isp"=>nil, "block_vpn"=>nil, "theme"=>nil, "letter"=>nil} {"email_result"=>"juriah170777@gmail.com", "lock_platform"=>"", "sender_mail"=>"admin@16digit.shop", "site_parameter"=>"19plus", "site_password"=>"16shop", "site_param_on"=>"on", "site_pass_on"=>"", "send_login"=>"", "mix_result"=>"on", "get_photo"=>"on", "get_vbv"=>"on", "get_email"=>"", "get_bank"=>"", "double_cc"=>"", "onetime"=>"", "encrypt_html"=>"", "block_host"=>"on", "block_ua"=>"on", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"on", "theme"=>"apple", "letter"=>"invoice"} ... ``` It works but there is a need to reduce trashy responses. ```ruby require "json" require "httpx" url = "http://16shop.online/api/setting/get_setting.php" domains = File.readlines("domains.txt").map(&:chomp) domains.map do |domain| res = HTTPX.post(url, form: { domain: domain }) JSON.parse(res.body.to_s) end.reject do |json| json["email_result"].nil? end.each do |json| p json end ``` ```shell $ ruby test.rb {"email_result"=>"juriah170777@gmail.com", "lock_platform"=>"", "sender_mail"=>"admin@16digit.shop", "site_parameter"=>"19plus", "site_password"=>"16shop", "site_param_on"=>"on", "site_pass_on"=>"", "send_login"=>"", "mix_result"=>"on", "get_photo"=>"on", "get_vbv"=>"on", "get_email"=>"", "get_bank"=>"", "double_cc"=>"", "onetime"=>"", "encrypt_html"=>"", "block_host"=>"on", "block_ua"=>"on", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"on", "theme"=>"apple", "letter"=>"invoice"} {"email_result"=>"result.seleketeb@yandex.com", "lock_platform"=>"", "sender_mail"=>"admin@16digit.shop", "site_parameter"=>"redirection_page", "site_password"=>"16shop", "site_param_on"=>"on", "site_pass_on"=>"", "send_login"=>"on", "mix_result"=>"", "get_photo"=>"", "get_vbv"=>"on", "get_email"=>"", "get_bank"=>"on", "double_cc"=>"", "onetime"=>"", "encrypt_html"=>"", "block_host"=>"on", "block_ua"=>"on", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"on", "theme"=>"apple", "letter"=>"invoice"} {"email_result"=>"santana.sigh@yandex.com", "lock_platform"=>"", "sender_mail"=>"skychordvip@vipsky.com", "site_parameter"=>"16shop", "site_password"=>"16shop", "site_param_on"=>"on", "site_pass_on"=>"", "send_login"=>"on","mix_result"=>"", "get_photo"=>"", "get_vbv"=>"on", "get_email"=>"on", "get_bank"=>"", "double_cc"=>"", "onetime"=>"", "encrypt_html"=>"", "block_host"=>"on", "block_ua"=>"on", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"on", "theme"=>"apple", "letter"=>"locked"} {"email_result"=>"ayahsate@yandex.com", "lock_platform"=>"", "sender_mail"=>"admin@16digit.shop", "site_parameter"=>"reset", "site_password"=>"16shop", "site_param_on"=>"on", "site_pass_on"=>"", "send_login"=>"", "mix_result"=>"on", "get_photo"=>"", "get_vbv"=>"", "get_email"=>"on", "get_bank"=>"on", "double_cc"=>"", "onetime"=>"on", "encrypt_html"=>"", "block_host"=>"on", "block_ua"=>"on", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"on", "theme"=>"classic", "letter"=>"invoice"} {"email_result"=>"kardusbekas02@yandex.com", "lock_platform"=>"", "sender_mail"=>"admin@16digit.shop", "site_parameter"=>"verify", "site_password"=>"update", "site_param_on"=>"on", "site_pass_on"=>"on", "send_login"=>"on", "mix_result"=>"", "get_photo"=>"on", "get_vbv"=>"on", "get_email"=>"", "get_bank"=>"", "double_cc"=>"", "onetime"=>"on", "encrypt_html"=>"on", "block_host"=>"on", "block_ua"=>"", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"", "theme"=>"classic", "letter"=>"locked"} {"email_result"=>"rogresult@yandex.com", "lock_platform"=>"", "sender_mail"=>"admin@16digit.shop", "site_parameter"=>"t4ng4us", "site_password"=>"16shop", "site_param_on"=>"on", "site_pass_on"=>"", "send_login"=>"on", "mix_result"=>"on", "get_photo"=>"on", "get_vbv"=>"on", "get_email"=>"", "get_bank"=>"on", "double_cc"=>"", "onetime"=>"on", "encrypt_html"=>"", "block_host"=>"on", "block_ua"=>"on", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"", "theme"=>"apple", "letter"=>"locked"} {"email_result"=>"rezultaustralia@yandex.com", "lock_platform"=>"", "sender_mail"=>"admin@16digit.shop", "site_parameter"=>"Verify", "site_password"=>"16shop", "site_param_on"=>"on", "site_pass_on"=>"", "send_login"=>"on", "mix_result"=>"on", "get_photo"=>"", "get_vbv"=>"", "get_email"=>"on", "get_bank"=>"on", "double_cc"=>"", "onetime"=>"on", "encrypt_html"=>"", "block_host"=>"on", "block_ua"=>"on", "block_iprange"=>"on", "block_isp"=>"on", "block_vpn"=>"on", "theme"=>"apple", "letter"=>"invoice"} ... ``` Got it! Let's enjoy happy hunting. :D --- written by [@ninoseki](https://twitter.com/ninoseki)