18 April 2024

International police operation takes down massive PhaaS platform LabHost


International police operation takes down massive PhaaS platform LabHost

An international police operation, involving law enforcement agencies from 19 countries, led by the UK's Metropolitan Police Service, has dismantled LabHost, one of the largest Phishing-as-a-Service (PhaaS) providers.

As part of the effort dubbed ‘Operation Stargrew’, 37 suspects were arrested worldwide, of which four individuals were apprehended in the United Kingdom, including the developer behind the platform, and five people in Australia. According to the Australian Federal Police, 94,000 people in Australia were among those who had had their personal information stolen through the use of LabHost.

LabHost, also known as LabRat, emerged in late 2021 as a PhaaS platform, gradually expanding its offerings to include numerous phishing pages targeting banks, major organizations, and service providers globally, with a focus on Canada, the US, and the UK. By the time of its takedown, LabHost boasted over 2,000 criminal users who had used its services to deploy more than 40,000 fraudulent sites, resulting in hundreds of thousands of victims worldwide.

The platform offered a slew of features, including;

  • Proxying connections to phished organizations for obtaining two-factor authentication (2FA) codes using Adversary-in-the-Middle (AitM) techniques;

  • Phishing pages targeting major Canadian, US, and international banks, as well as additional services such as Spotify, DHL, An Post, car toll services, and insurance providers;

  • Highly customizable phishing templates capable of soliciting various personal and financial information, including names, addresses, emails, dates of birth, security question answers, card numbers, passwords, and PINs;

  • Providing phishing pages for specific brands upon request;

  • Management in real-time via an integrated campaign management tool named LabRat, with the platform handling most tasks involved in developing and maintaining phishing page infrastructure, requiring only a virtual private server (VPS) for hosting files and automatic deployment;

  • Detailed campaign success metrics for criminal users; 

  • Management of stolen credentials;

  • A popular SMS phishing component, LabSend, supporting customized SMS templates to facilitate the distribution of phishing pages to target victims.

LabHost offered three membership tiers paid via bitcoin: standard ($179 per month), premium ($249 per month), and World Membership ($300 per month), the highest tier, offering over 70 phishing pages targeting international organizations and adding 10 separately hosted phishing pages, covering numerous countries.

Quarterly and annual subscriptions were available, with technical support services provided by platform administrators via a dedicated Telegram channel for all service levels.


Back to the list

Latest Posts

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

The flaw involves Foxit PDF Reader's handling of pop-up messages.
20 May 2024
China-linked APT group uses malware to spy on commercial shipping

China-linked APT group uses malware to spy on commercial shipping

Mustang Panda infiltrated the computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.
20 May 2024
The Grandoreiro malware is back up and running after January disruption

The Grandoreiro malware is back up and running after January disruption

Grandoreiro now targets over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region.
20 May 2024