A new version of the 16Shop phishing kit has been observed in the wild. More than 200 URLs loading login pages aimed at collecting login information from Amazon customers. McAfee noticed in May 2019 a new strain of the tool that focused on Amazon users, as revealed by the PHP code for 16Shop. The code is highly obfuscated, so it becomes clear that the purpose was to double-cross anyone foolish enough to believe that they got 16Shop for free. The cracker implemented this functionality so they receive the same data the kit’s operator gets from the victims.
Source: https://www.bleepingcomputer.com/news/security/amazon-accounts-targeted-by-16shop-phishing-kit/