As many as 37 individuals have been arrested as part of an international crackdown on a cybercrime service called LabHost that has been used by criminal actors to steal personal credentials from victims around the world.
Described as one of the largest Phishing-as-a-Service (PhaaS) providers, LabHost offered phishing pages targeting banks, high-profile organizations, and other service providers located primarily in Canada, the U.S., and the U.K.
As part of the operation, codenamed PhishOFF and Nebulae (referring to the Australian arm of the probe), two LabHost users from Melbourne and Adelaide were arrested on April 17, with three others arrested and charged with drug-related offenses.
"Australian offenders are allegedly among 10,000 cybercriminals globally who have used the platform, known as LabHost, to trick victims into providing their personal information, such as online banking logins, credit card details and passwords, through persistent phishing attacks sent via texts and emails," the Australian Federal Police (AFP) said in a statement.
The Europol-led coordinated effort also witnessed 32 other individuals being apprehended between April 14 and 17, including four in the U.K. who are allegedly responsible for developing and running the service. In total, 70 addresses were searched across the world.
Coinciding with the arrests, LabHost ("lab-host[.]ru") and all its associated cluster of phishing sites have been confiscated and replaced with a message announcing their seizure.
LabHost was documented earlier this year by Fortra, detailing the PhaaS' targeting of popular brands globally for anywhere between $179 to $300 per month. It first emerged in the fourth quarter of 2021, coinciding with the availability of another PhaaS service called Frappo.
"LabHost divides their available phishing kits between two separate subscription packages: a North American membership covering U.S. and Canadian brands, and an international membership consisting of various global brands (and excluding the NA brands)," the company said.
According to Trend Micro, the phishing bazaar's catalog of templates also extended to Spotify, postal services such as DHL and An Post, car toll services, and insurance providers, besides allowing customers to request the creation of bespoke phishing pages for target brands.
"Since the platform takes care of most of the tedious tasks in developing and managing phishing page infrastructure, all the malicious actor needs is a virtual private server (VPS) to host the files and from which the platform can automatically deploy," Trend Micro said.
The phishing pages – links to which are distributed via phishing and smishing campaigns – are designed to mimic banks, government entities, and other major organizations, deceiving users into entering their credentials and two-factor authentication (2FA) codes.
Customers of the phishing kit, which comprises the infrastructure to host the fraudulent websites as well as email and SMS content generation services, could then use the stolen information to take control of the online accounts and make unauthorized fund transfers from victims' bank accounts.
The captured information encompassed names and addresses, emails, dates of birth, standard security question answers, card numbers, passwords, and PINs.
"Labhost offered a menu of over 170 fake websites providing convincing phishing pages for its users to choose from," Europol said, adding law enforcement agencies from 19 countries participated in the disruption.
"What made LabHost particularly destructive was its integrated campaign management tool named LabRat. This feature allowed cybercriminals deploying the attacks to monitor and control those attacks in real-time. LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures."
Group-IB, which found references to LabHost in Telegram dating back to August 17, 2021, said that LabRat was one of the many services advertised by the group, the others being LabCVV (credit card shop), LabSend (SMS/MMS spam delivery system), and LabRefund (Telegram channels and private groups where criminals teach their customers how to utilize stolen data).
LabHost's phishing infrastructure is said to include more than 40,000 domains. More than 94,000 victims have been identified in Australia and approximately 70,000 U.K. victims have been found to have entered their details in one of the bogus sites.
The U.K. Metropolitan Police said LabHost has received about £1 million ($1,173,000) in payments from criminal users since its launch. The service is estimated to have obtained 480,000 card numbers, 64,000 PIN numbers, as well as no less than one million passwords used for websites and other online services.
An analysis of LabHost's identified crypto wallets by Chainalysis has revealed the receipt of over $1.1 million worth of virtual currency spanning thousands of transfers, most of it accounting for the monthly fee paid by its customers.
"LabHost then sent most of those funds to a few mainstream exchanges, presumably to be cashed out, as well as to a popular mixer, likely to launder the funds and obfuscate their origins," the blockchain analytics firm said. "Like many cybercriminal organizations, LabHost utilized a range of third-party services and infrastructure providers."
Furthermore, many of the cybercriminals who used LabHost also appear to have been customers of iSpoof, an illegal online phone number spoofing service that was dismantled by law enforcement in November 2022. No less than 20 wallets have been observed transacting with iSpoof and LabHost, collectively sending and receiving over $5.3 million worth of Bitcoin.
PhaaS platforms like LabHost lower the barrier for entry into the world of cybercrime, permitting aspiring and unskilled threat actors to mount phishing attacks at scale. In other words, a PhaaS makes it possible to outsource the need to develop and host phishing pages.
"LabHost is yet another example of the borderless nature of cybercrime and the takedown reinforces the powerful outcomes that can be achieved through a united, global law enforcement front," said AFP Acting Assistant Commissioner Cyber Command Chris Goldsmid.
The development comes as Europol revealed that organized criminal networks are increasingly agile, borderless, controlling, and destructive (ABCD), underscoring the need for a "concerted, sustained, multilateral response and joint cooperation."
