LabHost, an emerging threat actor, has been found to actively engage in phishing-as-a-service (PhaaS) campaigns, notably targeting Canadian banks. These PhaaS operations have gained traction because they offer comprehensive tools that provide branding elements from various industries, facilitate monitoring, and can bypass security measures. In the period between 2022 and 2023, such services have been instrumental in numerous cyberattacks, with Frappo leading the trend until it encountered setbacks due to prompt actions that blocked and mitigated its phishing pages. Frappo has since announced an upcoming enhancement to its platform, though it remains unreleased to the public.
Pattern Recognition and Emerging Campaigns
Subsequent phishing campaigns bore a resemblance to those of Frappo’s, with only subtle differences. Yet, certain patterns did not align with Frappo’s operations, directing suspicion toward LabHost as another significant player in the PhaaS sector. LabHost’s history can be traced back to the last quarter of 2021, shortly before Frappo began billing its users. Originally, LabHost’s services were pricier than Frappo’s, offering a sophisticated multi-branded phishing kit with comprehensive multifactor authentication phishing capabilities for select Canadian banks. The scope of their offerings expanded in mid-2022.
Service Outages and Kit Offerings
A marked increase in phishing activities coincided with the introduction of the Canadian interbank network kit, peaking in the spring and summer before experiencing a significant service outage in October. LabHost offered two distinct subscription packages: one for North American brands encompassing US and Canadian entities, and an international package excluding North American brands. The kits targeting Canadian financial institutions, telecom providers, and postal services were particularly favored by attackers.
LabHost’s arsenal includes “LabRat,” a real-time campaign management tool enabling attackers to oversee their phishing operations. December witnessed the debut of “LabSend,” an SMS-based campaign management tool designed to automate and streamline the sending of phishing links, enhancing LabHost’s capabilities by providing quick, templated responses to victim interactions.
