Threat Research

The Fall of LabHost: Law Enforcement Shuts Down Phishing Service Provider

Securonix

UK and international law enforcement took down LabHost, a major Phishing-as-a-Service platform, on April 18, 2024, in a coordinated operation with arrests of key users. Trend Micro assisted the investigation, highlighting LabHost’s scale—over 2,000 criminal users deploying more than 40,000 fraudulent sites and targeting banks and services worldwide. #LabHost #LabRat #AnPost #TrendMicro

Keypoints

  • LabHost operated as a Phishing-as-a-Service (PhaaS) platform with global reach and thousands of fraudulent pages.
  • Key features included Adversary-in-the-Middle (AiTM) style 2FA interception via LabRat, customizable templates, and a dedicated SMS smishing component (LabSend).
  • Members could access multiple tiers (Standard, Premium, World) with escalating numbers of hosted pages and broader target coverage.
  • LabHost enabled easy infrastructure management (hosting on a VPS) and provided detailed campaign statistics and credential management.
  • There were other PhaaS players and red-team tools in the ecosystem (e.g., Frappo, Greatness; Evilgophish, EvilPhish, EvilGinx2).
  • An example attack flow described an SMS lure leading to a forged brand site (An Post) designed to harvest personal and payment information.
  • The takedown disrupted a major phishing ecosystem, with arrests and ongoing investigations, and Trend Micro continues to monitor remaining PhaaS services.

MITRE Techniques

  • [T1566.001] Spearphishing Link – Delivery via SMS leading to a fake site; “The user’s target phone receives an SMS related to a service offered in their country … the fake page … copies the look and feel of An Post”.
  • [T1566.003] Spearphishing via Service – Platform functions as a service to create, host, and manage phishing pages; “In essence, a PhaaS outsources the traditional task of having to develop and host phishing pages for a target organization…”
  • [T1583.003] Acquire Infrastructure – Attacker infrastructure hosted phishing pages via VPS; “the platform takes care of most of the tedious tasks in developing and managing phishing page infrastructure; all the malicious actor needs is a virtual private server (VPS) to host the files”

Indicators of Compromise

  • [Domain] historical – labhost[.]cc (historical), labhost[.]co (historical), labhost[.]xyz (historical), labhost[.]ru (historical), lab-host[.]ru (historical)

Read more: https://www.trendmicro.com/en_us/research/24/d/labhost-takedown.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint