As many as 37 people have been arrested as part of an international crackdown on a cybercrime service called LabHost which has been used by criminal actors to steal personal credentials from victims around the world.
Described as one of the largest Phishing-as-a-Service (PhaaS) providers, LabHost offered phishing pages targeting banks, high-profile organizations, and other service providers located primarily in Canada, the United States, and the United Kingdom
As part of the operation, codenamed PhishOFF and Nebulae (a reference to the Australian arm of the investigation), two LabHost users from Melbourne and Adelaide were arrested on April 17, while three others were arrested and charged with related offenses to drugs.
“The Australian offenders are allegedly among 10,000 cyber criminals globally who have used the platform, known as LabHost, to trick victims into providing their personal information, such as online banking logins, credit card details and passwords, through persistent phishing attacks sent via SMS and email,” the Australian Federal Police (AFP) said in a statement.
The coordinated effort led by Europol also saw the arrest of a further 32 people between 14 and 17 April, including four in the UK allegedly responsible for developing and running the service. In total, 70 addresses were searched worldwide.
In conjunction with the shutdowns, LabHost (“lab-host[.]ru”) and all clusters of phishing sites associated with them were confiscated and replaced with a message announcing their seizure.
LabHost was documented earlier this year by Fortra, detailing its PhaaS targeting globally popular brands for between $179 and $300 per month. It first emerged in Q4 2021, coinciding with the availability of another PhaaS service called Frappo.
“LabHost divides available phishing kits into two separate subscription packages: a North American subscription covering US and Canadian brands, and an international subscription consisting of various global brands (and excluding NA brands),” the company said.
According to Trend Micro, the phishing bazaar’s catalog of templates has also expanded to Spotify, postal services such as DHL and An Post, car toll services and insurance companies, as well as allowing customers to request the creation of tailor-made phishing pages for target brands.
“Since the platform takes care of most of the tedious tasks in developing and managing the infrastructure of phishing pages, all the attacker needs is a virtual private server (VPS) to host the files and from which the platform can deploy automatically,” Trend Micro said. .
Phishing pages, links to which are distributed via phishing and smishing campaigns, are designed to imitate banks, government agencies and other major organizations by tricking users into entering their credentials and two-factor authentication (2FA) codes.
Customers of the phishing kit, which includes the infrastructure to host the fraudulent websites as well as email and SMS content generation services, could then use the stolen information to take control of online accounts and make unauthorized fund transfers. authorized by the victims’ bank accounts.
The information captured included names and addresses, emails, dates of birth, answers to standard security questions, card numbers, passwords and PINs.
“Labhost offered a menu of more than 170 fake websites providing convincing phishing pages for its users to choose from,” Europol said, adding that law enforcement agencies from 19 countries participated in the outage.
“What made LabHost particularly destructive was its integrated campaign management tool called LabRat. This functionality allowed cybercriminals to monitor and control such attacks in real time. LabRat was designed to capture authentication codes and credentials at two factors, allowing criminals to bypass enhanced security measures.”
LabHost’s phishing infrastructure is said to include more than 40,000 domains. More than 94,000 victims in Australia were identified and around 70,000 victims in the UK were found to have entered their details into one of the fake sites.
The UK’s Metropolitan Police said LabHost has received around £1 million ($1,173,000) in payments from criminal users since its launch. The service is estimated to have obtained 480,000 card numbers, 64,000 PIN numbers and no fewer than one million passwords used for websites and other online services.
PhaaS platforms like LabHost lower the barrier to entry into the world of cybercrime, allowing aspiring and inexperienced threat actors to launch large-scale phishing attacks. In other words, a PhaaS makes it possible to outsource the need to develop and host phishing pages.
“LabHost is yet another example of the borderless nature of cybercrime and the removal reinforces the important achievements that can be achieved through a united, global law enforcement front,” said Chris Goldsmid, Acting Deputy Commissioner of AFP Cyber Command.
The development comes as Europol revealed that organized criminal networks are increasingly agile, borderless, controlling and destructive (ABCD), underlining the need for a “concerted, sustained, multilateral and jointly cooperative response”.