The takedown this week of a massive phishing-as-a-service (PhaaS) operation spanned law enforcement agencies from both sides of the Atlantic and is the latest example of an increasingly aggressive approach by authorities to disrupt the operations of high-profile cybercriminal gangs.

Agencies from 19 countries participated in the operation against the LabHost, which first appeared in 2021 and grew to include at least 40,000 phishing domains and with thousands of registered users – about 800 of whom were who notified by authorities saying police knew who they were and what they had been doing – and racking up more than $1.17 million in payments from bad actors using the phishing kit.

In addition, 37 people around the world were arrested in connection with LabHost, according to Europol, which began coordinating the investigation in September 2023, more than a year after the UK’s Metropolitan Police initially began looking into LabHost’s activities in June 2022.

Four of those arrested in the UK are suspected of running the LabHost site and includes its initial developer.

The Metropolitan Police said LabHost had about 2,000 registered users, thought Europol put the number at about 10,000. The law enforcement operation ran from April 14 to April 17, with LabHost and its fraudulent sites being disrupted on the last day.

Bad Actors Had to Pay to Play

As with other PhaaS operations, the bad actors paid $179 and $300 monthly subscriptions to use LabHost’s phishing kits – which includes tools for creating and distributing the phishing emails – and the operation’s infrastructure of host phishing pages created to look like they belonged to legitimate companies. The hackers used phishing emails to entice targets to provide personal information. LabHost included more than 170 fake websites with convincing phishing pages that users could choose from.

According to U.S. law enforcement officials, the spoofed sites looked like they were from such companies as Amazon, Netflix, Wells Fargo, Bank of America, and Chase Bank. They said LabHost operated through the Lab-host.ru domain, which links back to a Russian internet infrastructure company. They didn’t identify the company.

The FBI and Secret Service participated in the international investigation, seizing four of the fraudulent domains associated with API services that were used to install spoofed websites and manage LabHost’s phishing and credential-theft operations, according to the U.S. Justice Department.

Cybercriminals used the service to steal almost 500,000 payment card numbers, 64,000 PINS, and more than a million passwords for websites and online services, according to authorities. The Metropolitan Police said that almost 70,000 people in the UK entered details into one of LabHost’s fraudulent sites.

“What made LabHost particularly destructive was its integrated campaign management tool named LabRat,” Europol wrote in a statement. “This feature allowed cybercriminals deploying the attacks to monitor and control those attacks in real time. LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.”

An International Threat

According to Trend Micro, LabHost’s phishing pages includes those for Canadian, U.S., and international banks, services such as Spotify, insurance providers, and postal providers like DHL, and highly customizable phishing templates requesting such information from victims as names, addresses, emails, birth dates, answers standard security questions, card numbers, passwords, and PINs.

In addition, hackers could ask for bespoke phishing pages for targeted brand be created. It was easy to use, given the platform did most of the work in developing and managing the infrastructure, and offered users detailed campaign statistics and management of stolen credentials.

“In essence, a PhaaS outsources the traditional task of having to develop and host phishing pages for a target organization, plus having to develop methods to extract stolen details, substantially dropping the barrier for entry to phishing,” wrote Trend Micro, which was one of a number of private companies – including Microsoft, Chainalysis, Intel 471, and The Shadowserver Foundation – the assisted the investigation.

PhaaS is a fast-emerging sector of the larger phishing environment and part of the larger trend of threat groups offering their malware – including ransomware – as a service. Trend Micro pointed to a number of other PhaaS operators – including Greatness sand Frappo – but noted that “LabHost was certainly one of the most popular and damaging in the market.”

The vendor wrote that LabHost offered bad actors three membership tiers, who paid with Bitcoin. The standard membership for $179 a month gave users dozens of pages targeting Canadian institutions and hosted up to three active phishing pages at a time. The premium membership at $249 a month added pages targeting U.S. institutions and bumping up the number of active phishing pages to 20.

At $300 a month, a world membership offered more than 70 phishing pages aimed at international organizations and added 10 hosted phishing pages for organizations in more than two dozen countries throughout Europe, Asia, the Middle East, and Central and South America.

Law Enforcement Targets the Platforms

The law enforcement effort against LabHost mirrors other recent international takedowns of sprawling cybercriminal operations, including those against major ransomware groups Hive, LockBit, and BlackCat, also known as ALPHV.

The Metropolitan Police said that while such operations focused on various types of online fraud, each one targeted a platform being using by threat groups.

“This operation and others over the last year show how law enforcement worldwide can, and will, come together with one another and private sector partners to dismantle international fraud networks at source,” Dame Lynne Owens, deputy commission of the Metropolitan Police, said in a statement. “Our approach is to be more precise and targeted with a clear focus on those enabling online fraud to be carried out on an international scale.”

Timothy P. Burke, special agent in charge with the U.S. Secret Service, said that “seizing LabHost and arresting those involved will have a systemic impact on transnational cybercrime.”