Posted: 2024-04-21 19:00:00

The core LabHost offering was its phishing pages. These were hundreds of web pages designed to look like legitimate sites – including banks from around the world, postal services and insurance providers – which criminals used to trick victims into providing their personal information. But the services went much deeper than that.

Loading

More specialised tools included adversary-in-the-middle attacks, which can be used to automatically circumvent two-factor authentication, as well as detailed analytics and reports to assess the effectiveness of scam campaigns.

Users were able to customise their scams with a high degree of granularity to get the exact information they were after, and LabHost also took care of everything in the back end, collecting the data entered into the web pages and collating it into databases for the customer.

Like any good software-as-a-service provider, LabHost also offered live technical assistance.

How did the attacks work?

Given how broad the tools were, attacks would have differed significantly. However, a common SMS phishing attack aimed at grabbing credit card numbers is a good example.

LabHost had a component called LabSend that let customers manage SMS scam campaigns; you just adjusted the parameters to create your custom message, loaded up your database of numbers, and LabHost sent out the texts.

You would have had to choose to impersonate one of the supported institutions, such as a bank or courier service. For this example, let’s imagine we’re impersonating a toll road operator. The message might say:

You have unpaid tolls that are now overdue. Penalties will be imposed on outstanding amounts. Please settle these amounts by making a payment here: https://roadtollexample.click/

Loading

Clicking the link would take victims to a website designed by LabHost, which would likely profess to authenticate the victim by asking for a phone number, then might show a screen designed to steal identifying details (i.e. enter your full name and address).

Ultimately, it would ask them to pay a small amount of money for their outstanding toll, by entering their full credit card details. After that, when the LabHost criminal customer next logged into their account, the stolen credit card number and identifying details would be neatly arranged into a database for them, along with statistics and reports of how their criminal operation was tracking.

How did law enforcement stop them?

In 2022, the UK Metro Police received intelligence about the company, and teamed up with law enforcement agencies and security companies around the world to investigate.

Together, they mapped LabHost’s infrastructure, identified key users, analysed more than 40,000 fraudulent websites and collected details on the company’s financials.

In a press release, the UK Metro Police said LabHost had collected more than £1 million ($1.94 million) in payments from criminal users since it set up shop.

Law enforcement agencies co-ordinated several dozen arrests, and seized the servers LabHost used to provide its products. People visiting the websites are now shown a warning that the tools are under police control, and hundreds of known LabHost customers have been contacted and told they are under criminal investigation.

What happens now?

LabHost was certainly not the only global phishing-as-a-service operator. But its seizure shows that it is possible to police these kinds of crimes, despite the anonymous nature of their operations.

Monash University professor Nigel Phair said the arrests could have the effect of making would-be-criminals think twice before signing up to a phishing-as-a-service provider.

“These types of investigations are very important, as the emergence of cybercrime-as-a-service platforms like LabHost not only proliferate, but also reduce the barriers to entry for cybercriminals,” he said.

“This investigation also demonstrates there are plenty of cybercriminals located in Australia, making it easier for Australian police to combat this ever-growing type of crime.”

Trend Micro, a security company that assisted in the investigation, said the result by no means puts an end to phishing, but should have tangible benefits.

“[Police] have helped remove a major player in the phishing ecosystem, weakening the toolkits of malicious actors, while also spreading uncertainty among their user base,” it said in a blog post.

“This will have an immediate effect on the targets of phishing attacks carried out using the platform, thereby helping to safeguard victims [who would unfortunately receive messages that impersonate legitimate brands] and the affected brands themselves.”

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.

View More
  • 0 Comment(s)
Captcha Challenge
Reload Image
Type in the verification code above