This was published 8 months ago
5 things to know about LabHost, the fallen SMS scamming empire
By Tim Biggs
UK Metropolitan Police this week revealed that, together with a number of international law enforcement agencies, it had pulled off a global sting to eliminate a major player in the cybercrime ecosystem – “phishing-as-a-service” provider LabHost.
The agencies made 37 arrests, including five in Australia, and said it had contacted 800 suspects using LabHost to let them know their alleged crimes had been uncovered.
LabHost reportedly had 2000 paying customers, who are alleged to have used it to defraud hundreds of thousands of victims. But what exactly is phishing-as-a-service, and what do these arrests mean?
What is LabHost?
Aside from the fact that they almost exclusively facilitated criminal enterprises, the products offered by LabHost weren’t that different to those you might procure from any legitimate cloud-based software provider.
Established in 2021, the LabHost made online tools that let users design and launch their own scam campaigns – specifically phishing – designed to trick people into handing over sensitive information.
If you’ve ever received an SMS claiming to be from a bank, tax agency, toll road operator or similar, asking you to click a link and make a payment, it’s possible you’ve seen the result of LabHost’s wares.
The business operated much like any software-as-a-service provider. Customers paid a monthly fee, which was between $300 and $500, depending on the tools they wanted to access, and simply logged into their account to use the software. This means they could initiate phishing campaigns without having to bother with the most tedious and technical tasks, such as creating fraudulent imitation web pages, managing stolen data or sending hundreds of messages.
What services did LabHost offer?
The core LabHost offering was its phishing pages. These were hundreds of web pages designed to look like legitimate sites – including banks from around the world, postal services and insurance providers – which criminals used to trick victims into providing their personal information. But the services went much deeper than that.
More specialised tools included adversary-in-the-middle attacks, which can be used to automatically circumvent two-factor authentication, as well as detailed analytics and reports to assess the effectiveness of scam campaigns.
Users were able to customise their scams with a high degree of granularity to get the exact information they were after, and LabHost also took care of everything in the back end, collecting the data entered into the web pages and collating it into databases for the customer.
Like any good software-as-a-service provider, LabHost also offered live technical assistance.
How did the attacks work?
Given how broad the tools were, attacks would have differed significantly. However, a common SMS phishing attack aimed at grabbing credit card numbers is a good example.
LabHost had a component called LabSend that let customers manage SMS scam campaigns; you just adjusted the parameters to create your custom message, loaded up your database of numbers, and LabHost sent out the texts.
You would have had to choose to impersonate one of the supported institutions, such as a bank or courier service. For this example, let’s imagine we’re impersonating a toll road operator. The message might say:
“You have unpaid tolls that are now overdue. Penalties will be imposed on outstanding amounts. Please settle these amounts by making a payment here: https://roadtollexample.click/”
Clicking the link would take victims to a website designed by LabHost, which would likely profess to authenticate the victim by asking for a phone number, then might show a screen designed to steal identifying details (i.e. enter your full name and address).
Ultimately, it would ask them to pay a small amount of money for their outstanding toll, by entering their full credit card details. After that, when the LabHost criminal customer next logged into their account, the stolen credit card number and identifying details would be neatly arranged into a database for them, along with statistics and reports of how their criminal operation was tracking.
How did law enforcement stop them?
In 2022, the UK Metro Police received intelligence about the company, and teamed up with law enforcement agencies and security companies around the world to investigate.
Together, they mapped LabHost’s infrastructure, identified key users, analysed more than 40,000 fraudulent websites and collected details on the company’s financials.
In a press release, the UK Metro Police said LabHost had collected more than £1 million ($1.94 million) in payments from criminal users since it set up shop.
Law enforcement agencies co-ordinated several dozen arrests, and seized the servers LabHost used to provide its products. People visiting the websites are now shown a warning that the tools are under police control, and hundreds of known LabHost customers have been contacted and told they are under criminal investigation.
What happens now?
LabHost was certainly not the only global phishing-as-a-service operator. But its seizure shows that it is possible to police these kinds of crimes, despite the anonymous nature of their operations.
Monash University professor Nigel Phair said the arrests could have the effect of making would-be-criminals think twice before signing up to a phishing-as-a-service provider.
“These types of investigations are very important, as the emergence of cybercrime-as-a-service platforms like LabHost not only proliferate, but also reduce the barriers to entry for cybercriminals,” he said.
“This investigation also demonstrates there are plenty of cybercriminals located in Australia, making it easier for Australian police to combat this ever-growing type of crime.”
Trend Micro, a security company that assisted in the investigation, said the result by no means puts an end to phishing, but should have tangible benefits.
“[Police] have helped remove a major player in the phishing ecosystem, weakening the toolkits of malicious actors, while also spreading uncertainty among their user base,” it said in a blog post.
“This will have an immediate effect on the targets of phishing attacks carried out using the platform, thereby helping to safeguard victims [who would unfortunately receive messages that impersonate legitimate brands] and the affected brands themselves.”
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.