Interpol and law enforcement authorities have apprehended a wicked cybercriminal responsible for targeting thousands of victims over several years and rendering malware attacks on telecom companies, major banks, multinational corporations in France as part of a global phishing and credit card fraud scheme.
Cybersecurity firm Group-IB disclosed on Tuesday in a report that a two-year investigation dubbed 'Operation Lyrebird' by the international, intergovernmental organization, resulted in the arrest of a Moroccan citizen nicknamed Dr. HeX.
The cybersecurity firm said that Dr. HeX has been "active since at least 2009 and is responsible for a number of cybercrimes, including phishing, defacing, malware development, fraud, and carding that resulted in thousands of unsuspecting victims.”
HeX's operations involved deploying a phishing kit consisting of web pages that spoofed banking entities in the country, followed by sending mass emails mimicking the targeted companies, prompting email recipients to enter login information on the rogue website.
The credentials entered by unsuspecting victims on the fake web page were then redirected to the perpetrator's email. At least three different phishing kits presumably developed by the threat actor have been extracted.
Interpol said in a statement that the phishing kits were also "sold to other individuals through online forums to allow them to facilitate similar malicious campaigns against victims,"
"These were then used to impersonate online banking facilities, allowing the suspect and others to steal sensitive information and defraud trusting individuals for financial gain, with the losses of individuals and companies published online in order to advertise these malicious services."
The scripts included in the phishing kit contained the name Dr. HeX and the individual's contact email address with which the cybercriminal was eventually identified and deanonymised. In the process, there was the uncovering of a YouTube channel as well as another name used by the adversary to register at least two fraudulent domains that were used in the attacks.
Additionally, Group-IB said that it was also able to map the email address to the malicious infrastructure employed by the accused in various phishing campaigns which included as many as five email addresses, six nicknames, and his accounts on Skype, Facebook, Instagram, and YouTube.
Generally, Dr. HeX's digital footprint left a tell-tale trail of malicious activities over a period stretching between 2009 and 2018, during when the threat actor defaced no fewer than 134 web pages, along with finding posts created by the attacker on different underground forums devoted to malware trading and evidence suggesting his involvement in attacks on French corporations to steal financial information.
Group-IB CTO Dmitry Volkov disclosed that "The suspect, in particular, promoted so-called Zombi Bot, which allegedly contained 814 exploits, including 72 private ones, a brute-forcer, webshell, and backdoor scanners, as well as functionality to carry out DDoS attacks.”