Authorities Investigate LabHost Users After Phishing Service Shutdown

Security pros praised an international operation that shut down LabHost, a phishing-as-a-service platform, but experts warn law enforcement have their hands full as the technology behind phishing attacks becomes increasingly commoditized.

Authorities from 19 countries raided 70 addresses around the world last week, making 34 arrests and shutting down the LabHost platform, which was previously available on the open web.

The service offered subscribers a choice of over 170 websites that were “convincing” imitations of authentic portals, along with a sophisticated set of tools to help manage the process of stealing personal information from phishing victims.

“LabHost had become a significant tool for cybercriminals around the world,” Europol said in a statement.

“For a monthly subscription (from $179-$300), the platform provided phishing kits, infrastructure for hosting pages, interactive functionality for directly engaging with victims, and campaign overview services.”

Authorities said they found over a million user credentials and almost 500,000 compromised credit cards on LabHost’s infrastructure. Among those arrested last week were four people in the United Kingdom allegedly involved in running the service, including LabHost’s original developer.

‘We know who you are,’ police tell malware users

The operation was led by London Metropolitan Police, with the support of Europol’s European Cybercrime Centre and Joint Cybercrime Action Taskforce. Other agencies involved included the U.S. Secret Service, the FBI and the Royal Canadian Mounted Police.

After shuttering the operation, police messaged 800 LabHost customers to warn them law enforcement knew they had been using the service.

“We’ve shown them we know how much they’ve paid to LabHost, how many different sites they’ve accessed and how many lines of data they’ve received,” a statement from the London Metropolitan Police said.

“Many of these individuals will remain the focus of investigation over the coming weeks and months.”

U.S. authorities seized four domains used by the platform’s administrators and its more than 2,000 customers.

“Seizing LabHost and arresting those involved will have a systemic impact on transnational cybercrime,” Timothy Burke, Secret Service special agent in charge of the Pittsburgh field office said in a statement.

Why the LabHost takedown is significant

Martin Kraemer, security awareness advocate at KnowBe4, said the law enforcement operation resulted in the first major disruption to phishing activities since the LockBit ransomware gang was taken down by an international sting in February.

“Phishing is the most used attack vector and ransomware, as the most common monetization scheme, are two important areas to tackle. Law enforcement is clearly stepping up the game and rightly so.”

Kraemer said it was important authorities worked to reduce the accessibility and attractiveness of online fraud schemes.

“We must put a stop to the increasing trend of cybercrime turning into an opportunity business for aspiring cyber criminals.”

Toby Lewis, global head of threat analysis at Darktrace, said the turnkey service LabHost was offering to its large customer base was a prime example of the commoditization and evolution of cybercrime.

“The success of this operation highlights a troubling trend — attackers are increasingly shifting away from one-off, custom attacks in favor of outsourced models. This allows them to maximize their impact while minimizing their own time, effort and risk,” he said.

“However, the takedown of LabHost demonstrates that law enforcement can fight back. Each time these criminal enterprises are disrupted, it raises the cost for the attackers — not only in having to rebuild their infrastructure, but also in needing to evolve their tactics to avoid detection in the future.”

LabHost was established in 2021 and the London Metropolitan Police said detectives began work in June 2022 on the case that resulted in last week’s takedown.

Malachi Walker, security advisor at DomainTools, said the large number of arrests made by international law enforcement was likely linked to the long duration of the investigation.

“The longer history a threat actor has, the more likely their operational security has failed or will fail at some point,” he said.

“Those footholds can shut entire cybercrime organizations down — and they’re often based on seemingly innocuous domain registration and hosting decisions. Both of which are incredibly common among those launching phishing campaigns.”

READ MORE HERE