After three years of operating with impunity, the massive phishing site LabHost has been shut down by UK law enforcement officials. The platform amassed at least $1 million since its inception by selling phishing kits to cybercriminals at rates averaging $249 a month.
Officials stated that LabHost was set up in 2021 to makeit easier for hackers to create fake websites aimed at tricking people into revealing email addresses, passwords, and bank details. Law enforcement had been investigating the service since June 2022. Investigators discovered more than 40,000 phishing domains used by 2,000 registered LabHost users.
“With this many users and subscribers, this platform shows that it’s too easy to commit phishing attacks,” said Jennifer Pitt, Senior Analyst of Fraud and Security at Javelin Strategy & Research. “The internet provides enough anonymity to nearly eliminate the risk of getting caught. Companies like LabHost are essentially providing phishing as a service, much like legitimate companies use SaaS or PaaS, and step-by-step instructions, so even the least tech-savvy individual can now easily create profitable mass phishing campaigns.”
Getting Around Two-Factor Authentication
LabHost obtained 480,000 bank card numbers, 64,000 PIN numbers, and more than one million passwords. Maybe the most pernicious aspect of the operation was a tool called LabRat—a real-time phishing management tool that enabled hackers to capture two-factor authentication (2FA) tokens, bypassing what many people assumed were iron-clad account protections.
“This is terrifying,” Pitt said. “This means that cybercriminals can essentially adapt their techniques in real time to get around anyone’s hesitancy in opening malicious emails or visiting malicious sites. Security professionals, tech companies, and social media platforms must learn how to defend against this—by disallowing scripts behind emails, detecting, and preventing immediate changes to suspicious sites or emails. And by using biometrics and behavioral analytics, rather than just two-factor authentication.”
Inside the Investigation
Europol, the law enforcement agency for the EU, worked with the U.S. Secret Service and Federal Bureau of Investigation in shutting down LabHost, as well as with authorities in countries as distant as Australia and Finland. Some reports indicated that the phishing operations were focused on attacks in North America. Europol also said they got assistance from partners in the private sector, including Microsoft, Trend Micro, Chainalysis, Intel 471, and The Shadowserver Foundation.
“This case demonstrates the coordination needed to successfully dismantle cybercrime operations,” Pitt said. “It is not an easy feat.”
Protecting Yourself
How can consumers protect themselves from these far-flung, sophisticated operations? Pitt recommends:
- If you are not expecting an email/text/social media post, do not click on the link or provide any personal information.
- Remember that scammers attack the most vulnerable targets and the ones that will bring in the most ROI, the highest victim pool, and the largest payday.
- Before entering sensitive information on a company site, do your own research on that company. It is a red flag if there have been complaints, or the reviews all seem positive.
