An Algerian web developer who claims to have “a demonstrated history of working in the internet industry” has launched coronavirus-themed email scams and helped build other hacking tools, according to a police intelligence report.
Samir Djelal, who allegedly used the internet alias Cazanova Haxor, developed malicious software that was used in a phishing attack aimed at California city accounts in March 2020, states an internal report from the California Cyber Security Integration Center, a state organization meant to facilitate information sharing about digital threats.
The threat profile, dated April 6, 2020, was made public as part of BlueLeaks, the 269 GB database containing data on police bulletins, training materials and other law resources taken from law enforcement fusion centers. Distributed Denial of Secrets, a WikiLeaks-style transparency group, appears to have obtained the trove of information after hackers breached Netsential, a Texas internet company that handles websites for police agencies throughout the United States. The Department of Homeland Security is investigating the disclosure.
In this case, police say, an Algerian named Samir Djelal aimed to steal data from victims early during the COVID-19 pandemic by using an email address that appeared to belong to an unnamed California city government employee, with the subject line “Awareness_Reg WHO,” meant to resemble information from the World Health Organization. The message actually directed users to a link that researchers tied to the “Morphine” phishing kit, which collects victims’ usernames, passwords and other data by masquerading as a legitimate Microsoft Office 365 page.
The same hacker also developed software meant to steal data from PayPal, Netflix, American Express and Apple, among other organizations, police advisory states.
In a series of emails to CyberScoop, Djelal denied that he carried out any of the attacks, as alleged by California authorities and security researchers. While Djelal used the alias “Cazanova163,” he said, someone used his likeness and logos to design malicious software. Djelal denied any involvement in cybercrime.
“Somebody used a fake profile and used my logos that I was making as a web designer and developer in scripts and malware,” he wrote. “All the information [is] fake, and somebody [who] knows me [has] used my logo designs in one of this projects[.]”
California investigators, who worked with the FBI, tied the attacks to Djelal by following security researchers’ Twitter conversations and conducting some open-source analysis. One user, a malware specialist known as @rootprivilege, found that the “Cazanova Haxor” alias belonged to Djelal by examining web servers where some of the malicious tools were hosted, the report said.
[1/4] Ladies and gentlemen – we got him!
Aliases: CaZaNoVa163, Cazanova Haxor, cazanova, xcazanova
— r00t (@rootprivilege) December 9, 2019
Further examination revealed more specific connections. Researchers plugged a picture from the hacker’s site into a reverse Instagram image search to find a web design profile called “codewithcolors” that mentioned “Cazanova” and “Samir Djelal” on the same site. Djelal’s personal Instagram and Twitter profiles also included mention of codewithcolors.
“Djelal’s social media behavior and public statements following the public disclosure of his identity suggests that he may be preparing to go into hiding and/or intends to curtail his illegal activities,” the California notice reported.
Soon after California Cyber Security Integration Center investigators independently verified some of the researchers’ findings, Djelal started sanitizing his social media behavior and shuttering suspicious activities. They also examined registration detailed for the hacking site, xcazanova[.]com, to find that Samir Djelal acquired the site on Feb. 27, 2018, and included a legitimate email address, phone number, details about five other web domains and a physical address in Algiers, Algeria.
“As noted by cybersecurity researchers who ascertained Cazanova’s real identity, Djelal’s poor [operational security] practices and his desire to market himself (presumably to increase his reputation and financial success) was further validated by two additional leaks Cal-CSIC uncovered,” the law enforcement bulletin said.
In a message to CyberScoop, Djelal said the changes to the Cazanova social media activity are evidence that the true hacker did that to make Djelal look guilty.
“I saw the reports say that the Twitter owner updated the domain and used my phone number just before they published the post on Twitter, and that leads me to ask why did he put my number now?!,” Djelal wrote.
Cal-CSIC went on to uncover a YouTube video, dated to 2016, in which “Cazanova Haxor” demonstrated ways to fleece PayPal users by using Adobe Photoshop. A message at the bottom of the video reads “Created by Djelal Samir” near the bottom of the right corner of the screen. Meanwhile, a project on the SourceForge software repository, where Cazanova seems to have been compiling hacking tools, includes another image stating “IHacked By CazaNoVa163 (Djelal Samir).”
Cal-CSIC did not immediately respond to a request for comment from CyberScoop.
This article has been updated to include a response from Djelal.