Police investigators blame Algerian for coronavirus-themed phishing attacks

An Algerian web developer who claims to have “a demonstrated history of working in the internet industry” has launched coronavirus-themed email scams and helped build other hacking tools, according to a police intelligence report.

The man, who allegedly used the internet alias Cazanova Haxor, developed malicious software that was used in a phishing attack aimed at California city accounts in March 2020, states an internal report from the California Cyber Security Integration Center, a state organization meant to facilitate information sharing about digital threats.

The threat profile, dated April 6, 2020, was made public as part of BlueLeaks, the 269 GB database containing data on police bulletins, training materials and other law resources taken from law enforcement fusion centers. Distributed Denial of Secrets, a WikiLeaks-style transparency group, appears to have obtained the trove of information after hackers breached Netsential, a Texas internet company that handles websites for police agencies throughout the United States. The Department of Homeland Security is investigating the disclosure.

In this case, police say, an Algerian with the initials S.D. aimed to steal data from victims early during the COVID-19 pandemic by using an email address that appeared to belong to an unnamed California city government employee, with the subject line “Awareness_Reg WHO,” meant to resemble information from the World Health Organization. The message actually directed users to a link that researchers tied to the “Morphine” phishing kit, which collects victims’ usernames, passwords and other data by masquerading as a legitimate Microsoft Office 365 page.

The same hacker also developed software meant to steal data from PayPal, Netflix, American Express and Apple, among other organizations, the police advisory states.

In a series of emails to CyberScoop, the suspect denied that he carried out any of the attacks, as alleged by California authorities and security researchers. While the man used the alias “Cazanova163,” he said, someone used his likeness and logos to design malicious software. The suspect denied any involvement in cybercrime.

“Somebody used a fake profile and used my logos that I was making as a web designer and developer in scripts and malware,” he wrote. “All the information [is] fake, and somebody [who] knows me [has] used my logo designs in one of this projects[.]”

California investigators, who worked with the FBI, tied the attacks to S.D. by following security researchers’ Twitter conversations and conducting some open-source analysis. One user, a malware specialist known as @rootprivilege, found that the “Cazanova Haxor” alias belonged to S.D. by examining web servers where some of the malicious tools were hosted, the report said.

(The tweet in question has since been deleted.)

Further examination revealed more specific connections. Researchers plugged a picture from the hacker’s site into a reverse Instagram image search to find a web design profile called “codewithcolors” that mentioned “Cazanova” and on the same site. S.D.’s personal Instagram and Twitter profiles also included mention of codewithcolors.

The suspect’s “social media behavior and public statements following the public disclosure of his identity suggests that he may be preparing to go into hiding and/or intends to curtail his illegal activities,” the California notice reported.

Soon after California Cyber Security Integration Center investigators independently verified some of the researchers’ findings, the suspect appeared to start sanitizing his social media behavior and shuttering suspicious activities, the bulletin noted. They also examined registration detailed for the hacking site, xcazanova[.]com, to find that S.D. acquired the site on Feb. 27, 2018, and included a legitimate email address, phone number, details about five other web domains and a physical address in Algiers, Algeria.

“As noted by cybersecurity researchers who ascertained Cazanova’s real identity, [the man’s] poor [operational security] practices and his desire to market himself (presumably to increase his reputation and financial success) was further validated by two additional leaks Cal-CSIC uncovered,” the law enforcement bulletin said.

In a message to CyberScoop, S.D. said the changes to the Cazanova social media activity are evidence that the true hacker did that to make the suspect look guilty.

“I saw the reports say that the Twitter owner updated the domain and used my phone number just before they published the post on Twitter, and that leads me to ask why did he put my number now?!,” he wrote.

Cal-CSIC went on to uncover a YouTube video, dated to 2016, in which “Cazanova Haxor” demonstrated ways to fleece PayPal users by using Adobe Photoshop. Meanwhile, a project on the SourceForge software repository, where Cazanova seems to have been compiling hacking tools, includes another image stating “IHacked By CazaNoVa163.”

Cal-CSIC did not immediately respond to a request for comment from CyberScoop.

Update, July 22, 2021: This article has been updated to refer to the hacking suspect by the initials “S.D.” A reference to a tweet from a researcher also has been updated to clarify that the tweet is no longer available.