As many as 37 individuals have been arrested as part of an international crackdown on a cybercrime service called LabHost that has been used by criminal actors to steal personal credentials from victims around the world.
Described as one of the largest Phishing-as-a-Service (PhaaS) providers, LabHost offered phishing pages targeting banks, high-profile organizations, and other service providers located primarily in Canada, the U.S., and the U.K.
As part of the operation, codenamed Nebulae, two LabHost users from Melbourne and Adelaide were arrested on April 17, with three others arrested and charged with drug-related offenses.
“Australian offenders are allegedly among 10,000 cybercriminals globally who have used the platform, known as LabHost, to trick victims into providing their personal information, such as online banking logins, credit card details and passwords, through persistent phishing attacks sent via texts and emails,” the Australian Federal Police (AFP) said in a statement.
The Europol-led coordinated effort also witnessed 32 other individuals being apprehended between April 14 and 17, including four in the U.K. who are allegedly responsible for developing and running the service. In total, 70 addresses were searched across the world.
Coinciding with the arrests, LabHost (“lab-host[.]ru”) and all its associated cluster of phishing sites have been confiscated and replaced with a message announcing their seizure.
LabHost was documented earlier this year by Fortra, detailing its PhaaS targeting popular brands globally for anywhere between $179 to $300 per month. It first emerged in the fourth quarter of 2021, coinciding with the availability of another PhaaS service called Frappo.
“LabHost divides their available phishing kits between two separate subscription packages: a North American membership covering U.S. and Canadian brands, and an international membership consisting of various global brands (and excluding the NA brands),” the company said.
According to Trend Micro, LabHost also provided phishing pages for Spotify, postal services such as DHL and An Post, car toll services, and insurance providers, besides allowing customers to request the creation of bespoke phishing pages for target brands.
“Since the platform takes care of most of the tedious tasks in developing and managing phishing page infrastructure, all the malicious actor needs is a virtual private server (VPS) to host the files and from which the platform can automatically deploy,” Trend Micro said.
The phishing pages – links to which are distributed via phishing and smishing campaigns – are designed to mimic banks, government entities, and other major organizations, deceiving users into entering their credentials and two-factor authentication (2FA) codes.
Customers of the phishing kit, which comprises the infrastructure to host the fraudulent websites as well as email and SMS content generation services, could then use the stolen information to take control of the online accounts and make unauthorized fund transfers from victims’ bank accounts.
The captured information encompassed names and addresses, emails, dates of birth, standard security question answers, card numbers, passwords, and PINs.
“Labhost offered a menu of over 170 fake websites providing convincing phishing pages for its users to choose from,” Europol said, adding law enforcement agencies from 19 countries participated in the disruption.
“What made LabHost particularly destructive was its integrated campaign management tool named LabRat. This feature allowed cybercriminals deploying the attacks to monitor and control those attacks in real time. LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.”
LabHost’s phishing infrastructure is estimated to include more than 40,000 domains. More than 94,000 victims have been identified in Australia and approximately 70,000 U.K. victims have been found to have entered their details in one of the bogus sites.
The U.K. Metropolitan Police said LabHost has received about £1 million ($1,173,000) in payments from criminal users since its launch. The service is estimated to have obtained 480,000 card numbers, 64,000 PIN numbers, as well as no less than one million passwords used for websites and other online services.
PhaaS platforms like LabHost lower the barrier for entry into the world of cybercrime, permitting aspiring and unskilled threat actors to mount phishing attacks at scale. In other words, a PhaaS makes it possible to outsource the need to develop and host phishing pages.
“LabHost is yet another example of the borderless nature of cybercrime and the takedown reinforces the powerful outcomes that can be achieved through a united, global law enforcement front,” said AFP Acting Assistant Commissioner Cyber Command Chris Goldsmid.
The development comes as Europol revealed that organized criminal networks are increasingly agile, borderless, controlling, and destructive (ABCD), underscoring the need for a “concerted, sustained, multilateral response and joint cooperation.”
