UK police claim to have successfully infiltrated and disrupted a phishing-as-a-service (PhaaS) operation that made cybercriminals over £1m ($1.3m) from tens of thousands of victims.
Described by Europol as one of the world’s largest PhaaS platforms, LabHost offered all the tools fraudsters needed to launch sophisticated phishing and smishing (SMS phishing) campaigns.
Launched in 2021, it was responsible for hosting as many as 40,000 phishing sites by 2024, with 2000 criminal users said to be paying a monthly subscription fee for its services, according to London’s Metropolitan Police, which led the law enforcement operation. It received around £1m in payments from these subscribers in that time, the Met said.
The police effort began in 2022 when the Met received important intelligence about LabHost from non-profit the Cyber Defence Alliance. It subsequently teamed up with law enforcers in 19 countries and private sector cybersecurity partners including Trend Micro to help bring down the platform.
Read more on PhaaS: Microsoft Warns of Adversary-in-the-Middle Uptick on Phishing Platforms
Some 37 suspects were arrested between April 14 and 17 internationally, including one individual in the UK thought to be the site’s original developer. Some 70 addresses were searched and the site itself has been seized.
The Met and its global partners will now be seeking to identify and track down subscribers to the site. The Met said it has already sent 800 users a message that it is on to them, although it’s believed there were as many as 10,000 users worldwide.
The UK police force identified around 70,000 UK victims of LabHost-hosted phishing sites, and globally the platform was responsible for the theft of 480,000 card numbers, 64,000 PIN numbers and over one million passwords, it revealed.
According to a Trend Micro analysis, LabHost offered multi-factor authentication (MFA) bypass, highly customizable phishing pages, a smishing component, and the ability to harvest PINs, personal information and security question answers. It also supported phishing campaigns across a number of non-banking sites including Spotify, DHL, car toll services, insurance providers and more, Trend said.
Met deputy commissioner, Lynne Owens, argued that the policing response to the current fraud epidemic should be to undermine criminals’ trust in the online services they use.
“Online fraudsters think they can act with impunity. They believe they can hide behind digital identities and platforms such as LabHost and have absolute confidence these sites are impenetrable by policing,” she added.
“But this operation and others over the last year show how law enforcement worldwide can, and will, come together with one another and private sector partners to dismantle international fraud networks at source. Our approach is to be more precise and targeted with a clear focus on those enabling online fraud to be carried out on an international scale.”