One of the primary enablers of fraud, account takeover (ATO) and network intrusions is the collection of personal, financial and credential information from unsuspecting victims in phishing attacks. Attackers co-opt the trust placed in brand-name websites by creating nearly perfect copies of those sites to trick people into entering sensitive information. Although phishing sites are often blocked by service providers if reported, the speed at which pages can be deployed and at which those malicious links can be distributed in email and short message service (SMS) campaigns make these attacks difficult to counter.
The sheer increased volume of phishing attacks is due in part to the creation of tools that make it trivial for lesser-skilled cybercriminals to take part. Phishing-as-a-service, or PhaaS, has made running phishing campaigns as easy as using any other cloud-based marketing service. PhaaS has arguably transformed the phishing landscape, which is moving from static, self-managed tool sets to fully managed, subscription-based operations. PhaaS providers handle all technical and logistical aspects, offering a seamless, end-to-end solution that enables even novices to conduct sophisticated phishing campaigns.
One of these services, LabHost aka Lab Rat, promoted itself as a “one-stop shop for phishing” that was created by spammers for spammers. The service had as many as 10,000 customers and is estimated to have defrauded 1 million victims in 91 countries and caused losses of more than 100 million pounds (about US $132 million), according to the U.K.’s Crown Prosecution Service (CPS). Authorities estimate the phishing attacks netted at least 480,000 payment card numbers, 64,000 PINs and more than 1 million passwords for online services.
Several LabHost domains were taken offline April 17, 2024, as part of an international enforcement action involving 19 countries. The law enforcement action was taken after collaboration with several technology and security companies, including Intel 471, Chainalysis, Microsoft, The Shadowserver Foundation and Trend Micro. Intel 471 had been tracking LabHost since it was advertised on multiple instant messaging channels, including ICQ-based shops and Telegram groups, in about September 2021 by a threat actor going by the moniker Mr Smart | THE LAB 🇨🇦.
U.K. prosecutors alleged LabHost’s main operator was Zak Coyne, 24, who was charged. Coyne was arrested April 14, 2024, at Manchester Airport and his devices were seized. Police said Coyne received US $230,000 in cryptocurrency for designing and maintaining LabHost, and those funds were transferred between different cryptocurrency accounts before being exchanged into cash and his personal bank account.
Coyne pleaded guilty to making or supplying articles for use in fraud, encouraging or assisting the commission of an offense and transferring criminal property. On April 14, 2025, the CPS announced Coyne had been sentenced in Manchester Minshull Street Crown Court to 8 1/2 years in prison.
The widespread use of LabHost could be attributed to its ease of use and the quality of its phishing pages. LabHost offered an end-to-end phishing platform, with a dashboard by which customers could manage campaigns.
When LabHost launched, customers could enroll in the “Standard” plan for US $179 per month or the “Premium” plan for US $249 per month. The main difference was the number of accessible phishing pages. The Standard plan provided access to 13 pages, while the Premium plan also provided access to “Premium Only.” At that time the phishing pages offered included those for Costco Wholesale Corp. and Netflix. Other pages had particular focus on Canadian banks including Bank of Montreal (BMO), Bank of Nova Scotia (Scotiabank) and Royal Bank of Canada (RBC). The service added a World Membership tier at US $300 per month, which offered more than 70 phishing pages for organizations in more than 25 countries.
To deploy the phishing pages, LabHost customers needed to set up one virtual private server (VPS) per phishing page. The VPS would be linked to LabHost’s platform by entering the IP address, username and password and choosing the server’s operating system (OS). Once the server was linked, the LabHost phishing page could be uploaded. Each interaction with the phishing page was registered and was available from a control panel. Customers could set certain parameters, such as blocking access from mobile devices, enabling or disabling antibot use and determining the country where the phishing pages could be accessed. Phishing pages were available specifically for viewing on mobile devices for campaigns launched using SMS spam. According to PhishLabs, LabHost launched a new service to track SMS campaigns called LabSend. It allowed for automated SMS campaigns that could also randomize the text in the spam messages to avoid being blocked by carriers.
The phishing pages could capture personally identifiable information (PII) such as full names, addresses, phone numbers, dates of birth (DOBs), social insurance numbers (SINs), driver’s license numbers and payment card information. LabHost customers could tick a box in a panel to create an extra field on a phishing page to request more information, such as a person’s mother’s maiden name and driver’s license number.
LabHost’s service contained features to overcome multifactor authentication (MFA), which is often employed to add a layer of protection to accounts. A tool called LabRat, described here by Trend Micro, used adversary-in-the-middle (AITM) techniques. AITM involves taking login credentials and MFA codes and funneling the data to the legitimate service, which then sends back a session cookie or token so the person stays logged in to their account. This token is intercepted by the phishing toolkit’s reverse proxy. The token can then be used to access a person’s account without needing login credentials or an MFA code for as long as the session token is valid.
The LabHost law enforcement operation, which spanned more than two years, resulted in the arrests of 37 people in the U.K., including Coyne. U.K. police said a “significant number” of LabHost’s customers were university students or young people who would likely move on to “perfectly legitimate careers.” In an effort aimed at deterring future offending, police sent messages to 800 LabHost customers that had been identified, warning that “we’ve been collecting your data the whole time.” U.K. authorities estimated 70,000 people in the U.K. were affected by the attacks. By April 18, 2024, police had reached out to 25,000 people to inform them their data had been compromised.
Conclusion
Phishing remains a pervasive threat from consumers through to large organizations. The personal and credential data harvested by phishing campaigns is often offered for sale in underground markets and offered to other cybercriminals. The demise of LabHost was a positive development, but it is just one of many cybercrime-as-a-service phishing offerings. Major ones include Naked Pages, Greatness, Caffeine Store and EvilProxy, while other threat actors have modified open source projects including Evilginx and Modlishka. Intel 471 tracks these developments closely along with the threat actors behind them as well as the trade in stolen credentials in the underground.
Since 2022, the AITM landscape has undergone significant evolution driven by the increasing emergence of PhaaS providers and the relentless pursuit of adversaries developing techniques to bypass security measures and protect their malicious infrastructure. This commodification of AITM capabilities lowers the barrier for less skilled cybercriminals, amplifying the scale and impact of phishing operations. The wide range of adversaries — from ransomware affiliates to business email compromise (BEC) scammers and even targeted attacks linked with actors operating within the intrusion cluster known as TheCom — is evidence of a dynamic environment where threat actors adapt and innovate tactics to achieve their goals. The proliferation of PhaaS programs underscores the need for organizations to adapt their cybersecurity strategies and consider alternatives for differentiating a legitimate session from a hijacked session along with alternatives to harden the MFA authentication process. To thwart phishing, organizations should implement mitigation strategies such as those described in MITRE’s Detection, Denial and Disruption Framework Empowering Network Defense (D3FEND) defensive framework:
Harden
Security keys: Hardware-based authentication is one of the strongest forms of authentication. Also, sites and services that implement authentication centered around the FIDO2/Web Authentication (WebAuthn) specifications, which are based on cryptography, offer high phishing resistance.
MFA: Although threat actors are effective at circumventing MFA, it still provides a useful layer of security that can delay an actor gaining access to a network. However, these temporary passcodes can be phished as easily as login credentials. Also, attacks such as subscriber identity module (SIM) swapping or hijacking can allow adversaries to commandeer someone’s phone number to receive MFA codes sent by SMS.
User account permissions: Maintaining a minimal permissions list affords defense in depth, meaning only a select few credentials will provide meaningful access without privilege escalation.
Detect
URL analysis: Scrutinize URLs to ensure they are legitimate and if uncertain pass them to the security team for further analysis.
User behavior analysis: Establishing a baseline for user behavior allows security teams to identify irregular activity on accounts, such as logins from abnormal locations.
Prevent
User awareness: Train users to identify phishing pages, looking for signs of irregularities and raising issues with information technology (IT) departments if there are any doubts.
