International police operation infiltrates LabHost phishing website used by thousands of criminals

70,000 UK fraud victims

Detectives have established that 70,000 victims in the UK entered their details into one of LabHost’s fraudulent phishing sites. So far, around 25,000 victims in the UK have been informed that their data has been compromised.

Worldwide, the web service has been used to obtain 480,000 card numbers, 64,000 PINs and more than one million passwords, but final numbers are likely to be greater.

Since its creation in 2021, LabHost has received payments of just under £1m from criminal users. The Metropolitan Police said detectives have identified many of the criminals that used the service and investigations are continuing to track down those who have not yet been arrested.

Shortly after the platform was disrupted, 800 users received a warning message from detectives telling them “we know who they are and what they have been doing”.

Phishing as a service

Crime as a service is a rapidly growing business model for providing tools, services or expertise to cyber criminals to conduct attacks.

LabHost offered a range of phishing services through tiered monthly subscriptions, which could be deployed in a few clicks.

Customers used the service to target financial institutions and postal and telecommunications services with phishing emails and SMS messages. The site offed a menu of over 170 fake websites designed to look like those of legitimate organisations.

Criminals also used a management tool provided by the website, known as LabRat, to deploy phishing attacks and monitor and control them in real time. LabRat was designed to capture two-factor authentication codes, allowing criminals to bypass security protections.

Europol said law enforcement agencies had gathered a “vast amount” of data, which will be used to support ongoing investigations.

LabHost began in Canada

LabHost originated in Canada in 2021, offering phishing services in North America before expanding into the UK and Ireland, and later the rest of the world.

Cyber criminals could sign up to the service for US$179 a month, according to research by Trend Micro. The basic service offered users dozens of pages targeting Canadian institutions, along with three active phishing pages. A premium membership tier, priced at US$249 a month, offered additional access to dozens of web pages targeting US institutions. The highest membership tier, for US$300 a month, offered over 70 phishing pages targeting organisations in nearly 30 countries.

The service provided phishing pages for several major Canadian, US and international banks, music streaming service Spotify, postal services including DHL and the Irish post office, insurance companies and road toll services. Users could also request bespoke phishing pages to mimic target organisations.

LabHost offered customisable phishing templates for customers to use to request names and addresses, email addresses, dates of birth, answers to standard security questions, card numbers, passwords and PINs.

The phishing service also offered technical support through a dedicated channel on the Telegram messaging service.

International investigation

Police began investigating LabHost in June 2022 after receiving intelligence from the Cyber Defence Alliance, a non-profit membership group for financial services organisations.

The Met’s Cyber Crime Unit went on to collaborate with the National Crime Agency (NCA), the City of London Police, Regional Organised Crime Units, Europol and international police forces.

Cyber security companies including Chainalysis, Intel 471, Microsoft, The Shadowserver Foundation and Trend Micro also took part in the investigation.

The investigation uncovered at least 40,000 phishing domains linked to LabHost, which had 10,000 users worldwide.

In Australia, police arrested five people and took down more than 200 servers used to host fraudulent phishing sites created by LabHost, after executing 22 search warrants across the country in an operation involving more than 200 officers. The Australian arm of the operation, codenamed Operation Nebulae, identified more than 100 suspects who use LabHost in Australia.

Police in Holland arrested five users and searched six homes, seizing 100 SIM cars and five firearms.

Met Police operation demonstrates UK capabilities

Lynne Owens, deputy commissioner of the Metropolitan Police Service, said: “Online fraudsters think they can act with impunity. They believe they can hide behind digital identities and platforms such as LabHost and have absolute confidence these sites are impenetrable by policing.”

Adrian Searle, director of the National Economic Crime Centre at the NCA, said: “Fraud is a terrible crime that impacts victims both financially and psychologically, undermining our collective trust in others and the online services on which we all rely.

“This operation again demonstrates that UK law enforcement has the capability and intent to identify, disrupt and completely compromise criminal services that are targeting the UK on an industrial scale.”

A spokesperson for the Cyber Defence Alliance said: “The partnership with the Cyber Defence Alliance and law enforcement continues to develop. We have together, once again, been able to disrupt a major international criminal platform and prevented more people falling victim to these scams.”