The Fall of LabHost: Law Enforcement Shuts Down Phishing Service Provider

Figure 3 shows an example of a fairly typical attack flow for an SMS-based phishing attack from LabHost, based on the target’s perspective.

The user’s target phone receives an SMS related to a service offered in their country — in this case, it mimicked a customs charge on a posted item to Ireland. Since Ireland is an island nation, it’s not unusual for Irish people who are expecting a parcel from outside of the EU (such as the UK or the US) to receive these kinds of legitimate requests. Other common targeting techniques used against Irish users include local bank or local road toll services, or their equivalents from other countries.

1. In this case, the smish would have been sent via the LabSend module of the LabHost platform, likely leveraging a farm of dedicated mobile devices created for this purpose. Note that the fee is set to a small amount to avoid raising suspicion.
2. Once the target selects this link, they are directed to a highly convincing page that copies the look and feel of An Post, the Irish postal service and the legitimate entity that normally processes these kinds of customs payments. The user is then prompted to input their phone number; however, in testing, this does not need to match the targeted phone, so it does not function as a safety check.
3. Rather than present the user with all the details the attackers wants to gather on one screen (which might trigger suspicion) the attackers break these details up over several screens.
4. The fake page initially asks for the user’s name and address (Eircode is a postcode system used in Ireland), then requests classic credit card details, including the security code. Once completed, all these details will be sent via the phishing page (hosted on a user of LabHost’s infrastructure) to the main LabHost panel, with an alert being sent to the cybercriminal user. The user can then simply log in to LabHost and retrieve these details, or export all of the gathered credentials for a given time period.

While this is an example of an attack against an Irish target, a similar attack flow exists using different brands for other regions on both mobile and desktop devices. Mobile devices have an advantage for attackers since they frequently lack installed security software, making users more susceptible to carrying out small transactions on them without practicing due diligence. Such attacks not only negatively affect the target victim but also indirectly affect the impersonated brands themselves, potentially undermining trust and leading them to receive support calls for which they can do little to assist the victim.

What action did law enforcement take?

On Thursday, April 18, 2024, LabHost and all linked fraudulent sites were disrupted by the Metropolitan Police Service and replaced with messages announcing their seizure. This operation was carried out in partnership with the UK’s National Crime Agency, the City of London Police, Europol, Regional Organised Crime Units (ROCUs) across the UK, and other international police forces in close collaboration with trusted private industry organizations.

In addition, from April 15 to April 17, international law enforcement made several arrests related to criminal users of this service, including the suspected founder of LabHost (who was located in the UK). International law enforcement also contacted hundreds more, mentioning that it knew the details of their activities and leaving a warning that they remain under active investigation.

The press release articulates the scale of the service, including the large amount of money earned from it for an approximate period of two and a half years, the number of fraudulent domains created, and the volume of stolen credentials. The removal of this service and several of its key users will yield a significant impact on these types of phishing fraud attacks as a result.

Trend has been assisting in the investigation of LabHost along with the UK’s Metropolitan Police Service since June 2023. During that time we have helped in the following:

• Investigating the infrastructure hosting the criminal service
• Investigating phishing pages associated with users of the service
• Assisting with the triage and clustering of LabHost users
• Launching individual investigations on several key users

This is in keeping with Trend’s guiding mission to make the world safe for the exchange of digital information, for both our customers and non-customers alike. We have been collaborating with law enforcement globally for decades and have formal partnerships with UK law enforcement going back almost 10 years, with several successful operations and arrests. Such partnerships help us not only to proactively protect our customer base with highly timely threat intelligence but also expand that impact to the wider internet userbase.

In taking this action, the Metropolitan Police Service and its partners have helped remove a major player in the phishing ecosystem, weakening the toolkits of malicious actors while also spreading uncertainty among their userbase. This will have an immediate effect on the targets of phishing attacks carried out using the platform, thereby helping to safeguard victims (who would unfortunately receive messages that impersonate legitimate brands) and the affected brands themselves.

We would like to take this opportunity to congratulate the Metropolitan Police Service on its lead role in this operation, its international and local law enforcement partners, and our fellow trusted private industry colleagues on all the hard work that went into this case. We look forward to many continued successful endeavors in the future.

Key indicators

The following are the main landing pages for the now disabled service. Each of these e is proactively blocked by Trend so that our customers are aware if anyone on their network is visiting these sites.

• labhost[.]cc (historical)
• labhost[.]co (historical)
• labhost[.]xyz (historical)
• labhost[.]ru (historical)
• lab-host[.]ru

In addition, the platform was used to generate over 40,000 fraudulent sites with many new phishing URLs added daily for its customer base. Trend protects customers from these URLs using a combination of sourcing and behavioral detection methods, primarily tagging them with the category “PHISHKIT” in our logs.

As mentioned previously, other PhaaS-type services still exist, and we continue to actively monitor and provide protection for ongoing campaigns. For advice on protecting yourself from phishing attacks, please visit our phishing definition page.

Read More HERE