The LabHost platform, which operated under the phishing-as-a-service scheme (“phishing-as-a-service”, PhaaS), was liquidated during a year-long law enforcement operation. The police hacked the platform's infrastructure and detained 37 suspects, including the developer LabHost.
The phishing platform was launched in 2021 and allowed attackers who paid a monthly subscription fee to launch attacks using a variety of phishing kits against banks and services in North America.
Advertisement
Additionally, LabHost provided the infrastructure to host phishing pages and automatically generate and send phishing emails, making it easy for even low-skilled criminals to carry out their attacks.
In February 2024, the information security company Fortra warnedthat LabHost is gradually turning into a popular PhaaS platform, ahead of other players in this market.
Coordinated by Europol, the international law enforcement operation, dubbed PhishOFF and Nebulae, began about a year ago and involved police from 19 countries, as well as private sector companies including Microsoft, Trend Micro, Chainalysis, Intel 471 and The Shadowserver Foundation.
Europol officials say that during the investigation, at least 40,000 phishing domains associated with LabHost were discovered, and the service was used by more than 10,000 people worldwide. According to authorities, service operators earned about $1,173,000 from the sale of PhaaS subscriptions.
Advertisement
Investigators also found that LabHost operators stole about 480,000 bank cards, 64,000 PIN codes and about a million passwords from various online accounts. Thus, more than 94,000 victims were identified in Australia, and about 70,000 in the UK.
“With an average monthly fee of $249, LabHost offered a range of illegal services that could be configured and deployed with just a few clicks,” investigators said.
Europol specialists especially point out a powerful tool called LabRat, thanks to which the service stood out from its competitors. LabRat was a real-time management tool for phishing campaigns, allowing attackers to intercept two-factor authentication (2FA) tokens and bypass account security.
Between April 14 and April 17, 2024, law enforcement agencies around the world simultaneously searched 70 addresses and arrested 37 people suspected of links to the LabHost service.
In addition, the Australian Joint Cybercrime Coordination Center (JPC3) reports destruction of 207 servers, which hosted phishing sites created using LabHost. And the UK police announced about the arrest of four people involved in managing the service’s website, as well as the “original developer of the platform.”
Shortly after law enforcement took control of LabHost's infrastructure, messages were sent to 800 users warning that they would soon become targets of new investigations.