Phishing-as-a-service platform LabHost shut down in global operation

One of the world’s largest phishing-as-a-service platforms has been “severely disrupted” by a global year-long operation, Europol announced on Thursday.

Law enforcement from 19 countries searched 70 addresses worldwide this week and arrested 37 suspects related to the operation of LabHost. 

The LabHost platform, previously available on the open web, has been shut down and its infrastructure compromised, according to Europol. The investigators also uncovered at least 40,000 phishing domains linked to the platform, which had some 10,000 users worldwide.

The Australian police announced on Thursday that they took down 207 servers hosting phishing websites created through the LabHost service, targeting more than 94,000 people in the country. Five individuals have been arrested in Australia in relation to the service’s operation. 

The U.K. arrested four people linked to the running of the site, including the alleged original developer. Police established that just under 70,000 victims in the U.K. have entered their details into one of LabHost’s fraudulent sites. Globally, the service has obtained an estimated 480,000 card numbers, 64,000 PIN numbers, as well as more than one million passwords used for websites and other online services.

As of Thursday, U.K. detectives had contacted up to 25,000 victims in the country to tell them their data has been compromised.

In a phishing-as-a-service model, cybercriminals offer tools that enable less skilled individuals to conduct phishing attacks.

LabHost has become a significant tool for cybercriminals worldwide. For a monthly subscription fee averaging $249, the platform provided phishing kits, infrastructure for hosting pages, interactive functionality for engaging directly with victims, and campaign overview services.

Depending on the subscription, criminals also received a list of targets that included financial institutions, postal delivery services and telecommunication services providers. LabHost also offered a menu of over 170 fake websites providing convincing phishing pages for its users to choose from.

What made LabHost particularly destructive was its integrated campaign management tool named LabRat, Europol said. This feature allowed cybercriminals to monitor and control attacks in real-time. LabRat was designed to capture two-factor authentication codes and credentials, allowing criminals to bypass security measures.

“Platforms such as LabHost make cybercrime more easily accessible for unskilled hackers, significantly expanding the pool of threat actors,” Europol said.

“Yet, however user-friendly the service portrays itself to be, its malicious use constitutes an illegal activity — and the penalties can be severe.”

Last August, international police shut down a phishing-as-a-service platform, known as 16shop, which was used by 70,000 people. The service’s phishing kits were designed to steal credentials and payment details from users of popular services such as Apple, PayPal, American Express, Amazon, and Cash App. They were sold at a relatively modest cost, ranging from $60 to $150, depending on the targeted brand.