Trend Micro Helps INTERPOL Dismantle Phishing-as-a-Service Operation

Trend Micro has announced that its close cooperation with law enforcement has led to another major win after the dismantling of a prolific phishing-as-a-service (PaaS) operation.

Jon Clay, VP of threat intelligence at Trend: “Trend has been a committed partner of INTERPOL for many years, so when the call came for help, we didn’t waste a second. As this takedown proves once again, public-private partnerships backed by powerful threat intelligence can be a force multiplier for international cybercrime investigations.”

Trend Micro was first approached by INTERPOL in 2020 when the policing alliance requested threat intelligence regarding PaaS site 16shop. The platform sold phishing kits designed to lower the barrier to entry to budding cybercriminals, enabling them to scale scam campaigns with ease.

Through its research, Trend found and reported to INTERPOL that:

  • Attacks supported by 16shop were particularly prevalent in Japan, as well as the U.S. and Germany.
  • Customers of 16shop were able to craft phishing pages to harvest Amazon, American Express, PayPal, Apple, and CashApp credentials as well as U.S. banking logins.
  • The platform’s phishing kits automatically localized the language of phishing sites depending on the victims’ location.
  • It featured capabilities designed to thwart analysis, such as anti-sandboxing and geolocated access restrictions.
  • 16shop’s web infrastructure was hosted across numerous legitimate cloud providers to further avoid detection.
  • The site was active from 2018 until at least 2021, with copycat sites most likely springing up after this date.

According to INTERPOL, Trend’s threat intelligence report helped lead to the arrest of the suspected administrator of 16shop and two other suspects in Indonesia and Japan. In total, 16shop is estimated to have enabled phishing attacks on over 70,000 victims in 43 countries.

Trend’s close support of INTERPOL in this operation follows numerous previous engagements, including 2022’s Operation African Surge, and the dozens of training sessions the cybersecurity provider has delivered to law enforcement agencies since 2014, including a five-day course recently held in Manila.