‘Cybercrime-as a service’ platform disrupted by police

A worldwide police operation has taken down a ‘cybercrime-as a service’ platform used by thousands of criminals on the open web to buy phishing kits, infrastructure for hosting pages, interactive functionality for directly engaging with victims, and campaign overview services.  The LabHost platform, which had around 10,000 users worldwide, sold these services to criminals across the world for a monthly subscription.  The international investigation was led by the UK’s London Metropolitan Police (Operation Stargrew), with the support of Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) hosted at its headquarters in the Hague.  Law enforcement from 19 countries took part in the operation.

Between Sunday 14 April and Wednesday 17 April a total of 70 addresses were searched across the world, resulting in the arrest of 37 suspects.  This included the arrest of 4 individuals in the United Kingdom linked to the running of the site, including the original developer of the service.  At least 40,000 phishing domains were linked to LabHost by the investigation.

Cybercrime-as-a-service

‘Cybercrime-as-a-service’ has become a rapidly growing business model in the criminal landscape whereby threat actors rent or sell tools, expertise, or services to other cybercriminals to commit their attacks.  While this model is well established with ransomware groups, it has also been adopted in other aspects of cybercrime, such as phishing attacks.

Platforms such as LabHost make cybercrime more easily accessible for unskilled hackers, significantly expanding the pool of threat actors.

With a monthly fee averaging $249, LabHost offered a range of illicit services which were customisable and could be deployed with a few clicks.  Depending on the subscription, criminals were provided an escalating scope of targets including financial institutions, postal delivery services and telecommunication services providers.  Labhost offered a menu of over 170 fake websites providing convincing phishing pages for its users to choose from.

What made LabHost particularly destructive was its integrated campaign management tool named LabRat.  This feature allowed cybercriminals deploying the attacks to monitor and control those attacks in real time.  LabRat was designed to capture two-factor authentication codes and credentials, allowing the criminals to bypass enhanced security measures.

Malicious use of a ‘cybercrime-as-a -service’ platform constitutes an illegal activity – and the penalties can be severe.  A vast amount of data gathered throughout the investigation is now in the possession of law enforcement.  This data will be used to support ongoing international operational activities focused on targeting the malicious users of this phishing platform.

EAST Response

EAST focusses on tackling ‘cybercrime-as-a-service’ through the EAST Expert Group on Payment and Transaction Fraud (EPTF).  This operation was discussed at at the 18th EAST EPTF Meeting held yesterday in Edinburgh, UK.