The “starving student” is a literary and cultural trope that dates back hundreds of years, but a life as a cyber crime service provider is a twist no author ever could have imagined. According to the London Metropolitan Police, university students were among the 37 suspects recently rounded up in a law enforcement operation that took down the LabHost phishing service.
The site is just one of many on the dark web offering phishing services, but was described as “very slick” and oriented to non-technical users. The law enforcement operation found the site had about 10,000 members each paying a membership fee of up to £300 a month for prefabricated phishing pages, video tutorials and chat assistance in scamming targets.
Phishing service raked in big money during its run
A press release from Europol documents the broad strokes of the international law enforcement operation, which saw seizure of the phishing service’s infrastructure and the arrest of its suspected ringleader.
The law enforcement operation took place from April 14 to 17 and consisted of raids that took place across 19 countries, including the arrests of multiple suspects seemingly attempting to flee the UK via various airports. The investigation of the phishing service was reportedly initiated in June 2022, but involved Europol and grew to span multiple countries in September 2023.
LabHost worked on a subscription service model that offered a variety of tiers, but averaged monthly payments of about £200 for each user. Subscribers had access to phishing template pages and about 40,000 domains owned by the phishing service, essentially providing them with everything they needed to run cyber scams in one convenient package. Higher subscription tiers provided the phishing service’s clients with target suggestions and access to a campaign management tool called LabRat that had the ability to capture some two-factor authentication codes. Tutorial videos were available to all users to show them how to use all of the site’s products.
The phishing service had been active since 2021 and was responsible for the theft of at least 480,000 credit and debit card numbers with 64,000 pin numbers.
LabHost message indicates law enforcement operation struck fatal blow
The operators of the phishing service first responded to news of the law enforcement operation by claiming that it was a former developer working with competitors to sabotage the site. However, an updated message posted days later confirmed that LabHost was compromised and that the operators were bailing out, advising their customers to delete accounts and wipe their devices.
The law enforcement operation seized the site’s customer portal and Telegram bot, which it has since used to encourage clients to confess by text message or turn themselves in at a police station. Police officers have also sent customized videos to some of the site’s clients documenting when they first subscribed, the amount they’ve paid to the phishing service, and details about the specific organizations they have targeted.
The four arrests made in the UK are thought to include the ringleader and central operators of the phishing service, and one of the unique notes from the law enforcement operation is that both the staff and the clients appear to include young university students that are not particularly technically skilled or have a cyber crime background. The incident highlights the relative ease with which phishing can now be conducted with pre-fabricated tools, something that was not the case just a few short years ago.
While no arrests were made in the United States, the Justice Department issued a statement indicating that it participated in the law enforcement operation and seized four domains that were hosted in the country.
Between the rise of similar phishing services and the availability of AI tools for functions such as generating messages in foreign languages, there has been a major spike in phishing attacks since the start of 2023. Between the availability of kits and AI, phishing is essentially accessible to anyone without requiring any kind of specialized computer knowledge at all. As the Metro police note, this may be leading to a notable increase in teenagers and college-age individuals with no prior criminal or IT history getting caught engaging in phishing attempts as a sort of “side hustle” that they believe is anonymous.
One of the leading phishing kits of the moment is called “Greatness” and specifically targets Microsoft 365 login credentials. It operates on a model similar to LabHost, charging a $120 per month subscription for all the materials needed to target businesses including obfuscation measures that can help even inept would-be cyber criminals evade automated spam and malware detection systems. Like LabHost, it also captures certain types of 2FA codes. The service first appeared roughly a year ago.
While there are still many of these services available, Toby Lewis (Global Head of Threat Analysis at Darktrace) notes that each successful law enforcement operation of this type does chip away at the ecosystem in a real way: “The success of this operation highlights a troubling trend – attackers are increasingly shifting away from one-off, custom attacks in favour of outsourced models. This allows them to maximise their impact while minimising their own time, effort and risk. However, the takedown of Lab Host demonstrates that law enforcement can fight back. Each time these criminal enterprises are disrupted, it raises the cost for the attackers – not only in having to rebuild their infrastructure, but also in needing to evolve their tactics to avoid detection in the future. This concept of increasing the attacker’s costs is crucial to our long-term strategy. We must continue to innovate to make it increasingly difficult and expensive for cybercriminals to operate. Only by raising the bar will we be able to stay ahead of these sophisticated, profit driven threats targeting everyday internet users.”
Dr Ilia Kolochenko, CEO at ImmuniWeb, notes that these newcomers that are wandering into cybercrime are often not aware of the severity of the laws they are breaking and that educational campaigns might also make a difference: “Modern cybercrime is an incredibly profitable business, while risks of being apprehended – for experienced and well-organized gangs – verge on zero. Eventually, cyber gangs are actively recruiting the youth, namely IT and cybersecurity students, who are happy to make some extra money without much effort. Most of the newbies do not even realize that they break the law, as their tasks may be pretty innocent, such as designing websites or mobile applications. Some gangs go as far as hiring students on behalf of non-existent penetration testing companies and asking their new “employees” to find vulnerabilities on “client’s” websites. Worst, duped students are arrested and prosecuted, while cybercrime moguls remain unpunished and continue multiplying their fortunes and hiring new instrumental evildoers. Law enforcement agencies and government should urgently consider investing in educational and awareness campaigns among all students to prevent cybercrime: arrests and criminal prosecution merely treat the symptom, while the disease is swiftly proliferating making more and more victims.”
Malachi Walker, Security Advisor at DomainTools, notes some specific points of vulnerability in these groups: “This takedown likely impacts the low-capability crimeware affiliates the most so while organizations in the financial sector should be encouraged, they should still be vigilant and engage in standard best practices to protect their organization. The 37 arrests including the original developer can likely be attributed to the law enforcement operation being cited as taking place over the year. The longer history a threat actor has, the more likely their operational security has failed or will fail at some point. Those footholds can shut entire cybercrime organizations down-and they’re often based on seemingly innocuous domain registration and hosting decisions. Both of which are incredibly common among those launching phishing campaigns.”