In early 2024, Group-IB uncovered LabHost’s Phishing-as-a-Service ecosystem, detailing how LabHost, LabCVV, LabSend and LabRefund together monetize stolen data through automated phishing deployments, a card shop, and fraudeducation channels. The investigation links phishing pages targeting INTERAC to a Canadian-focused operation, identifies prominent monikers, and provides actionable hunting techniques for Threat Intelligence and Anti-Fraud teams. #LabHost #LabCVV
Keypoints
- The LabHost ecosystem combines phishing automation with monetization services (LabCVV, LabSend, LabRefund) to streamline fraud workflows.
- Phishing sites are created via a turnkey LabHost deployment process and distributed to victims using LabSend’s SMS/MMS capabilities.
- LabRat serves as a real-time victim-control module to collect sensitive data, including 2FA codes, guiding victims through structured scenarios.
- Assets gathered (logs, credit cards) can be cashed out or sold through LabCVV, with LabRefund aiding refunds at online shops.
- Group-IB identifies three likely monikers tied to LabHost within DarkWeb/Telegram channels: @MrSmartICQ, @Zimna514, @houdini13.
- Multiple LabHost infrastructure IOCs, including domains and a LabSend APK hash, are used to support operations and distribution.
- Detailed recommendations focus on continuous phishing takedown, infrastructure disruption, anti-fraud tooling, and threat-actor identity investigations.
MITRE Techniques
- [T1566] Phishing – LabHost enables automated deployment of phishing pages and dissemination of links via LabSend to harvest victim data. “LabHost provides a platform to its users for orchestrating phishing attacks by automating processes of deployment and configuring phishing websites…”
- [T1583] Acquire Infrastructure – Criminals rent VPS servers and auto-deploy phishing sites through the LabHost portal. “Criminals start their path by renting a VPS server and auto-deploying a phishing website…”
- [T1056] Input Capture – LabRat module is used to steal 2FA codes and other PI data from victims. “The LabRat module here can be used by criminals to manually guide victims through attack scenarios in order to steal 2FA codes…”
- [T1071] Application Layer Protocol – The phishing platform periodically checks subscription status via API calls (API key validation). “the server performs a request to check whether the hardcoded API key is valid and the subscription is active.”
Indicators of Compromise
- [Domain] Phishing infrastructure domains – lab-host.ru, labcvv.su, labsend.co, api2-4hdfix74ks.co, instapi-1xoa93z90o348fz.co
- [IP Address] – 45.148.244.237, 188.114.96.1
- [File Hash] – SHA1: cda695baad4be4f6067195395997360337a43d6f