Law enforcement authorities with Interpol have apprehended a threat actor presumably responsible for multiple attacks on telecom companies, major banks, and multinational corporations in France with the goal of stealing customers’ bank information.
The two-year investigation, dubbed Operation Lyrebird by the international, intergovernmental organization, resulted in the arrest of a Moroccan citizen nicknamed Dr HeX, cybersecurity firm Group-IB disclosed today in a report shared with The Hacker News.
Dr HeX is said to have been “active since at least 2009 and is responsible for a number of cybercrimes, including phishing, defacing, malware development, fraud, and carding that resulted in thousands of unsuspecting victims,” the cybersecurity firm said.
The cyberattacks involved deploying a phishing kit consisting of web pages spoofing French companies, followed by sending mass emails impersonating the targeted companies, prompting email recipients to enter login information on the spoofed site. The credentials entered by unsuspecting victims on the fake web page were then redirected to the perpetrator’s email. At least three phishing kits presumably developed by the threat actor have been extracted.
The scripts included in the phishing kit contained the name Dr HeX and the individual’s contact email address, which was then used to identify and deanonymize the cybercriminal, in the process uncovering a YouTube channel as well as another name used by the attacker to register at least two fraudulent domains that were used in the attacks.
Additionally, Group-IB said it was also able to map the email address to the malicious infrastructure employed by the accused in various phishing campaigns, of which included as many as five email addresses, six nicknames, and his accounts on Skype, Facebook, Instagram, and YouTube.
In all, Dr Hex’s digital footprint left a tell-tale trail of malicious activities over a period stretching between 2009 and 2018, during when the threat actor defaced no fewer than 130 web pages, along with finding posts created by the attacker on different underground forums devoted to malware trading and evidence suggesting his involvement in attacks on French corporations to steal financial information.
“The suspect, in particular, promoted so-called Zombi Bot, which allegedly contained 814 exploits, including 72 private ones, a brute-forcer, webshell and backdoor scanners, as well as functionality to carry out DDoS attacks,” Group-IB CTO Dmitry Volkov told The Hacker News.