(TLP:CLEAR) FBI FLASH: Phishing Domains Associated with LabHost PhaaS Platform Users

Summary: The FBI has released a FLASH report to disseminate 42,000 phishing domains linked to the LabHost phishing-as-a-service (PhaaS) platform between November 2021 and April 2024. The FBI is releasing this information to maximize awareness and provide indicators of compromise that may be used for cyber defense purposes. 

Analyst Note: Prior to being disabled by law enforcement in April 2024, LabHost was one of the world’s largest PhaaS providers, offering a range of illicit services for approximately 10,000 users. LabHost provided numerous phishing services to their customers including, but not limited to infrastructure configuration/support, customized phishing pages, and stolen credential management. LabHost phishing domains were configured to impersonate over 200 trusted sites, including spoofed pages for banks, online streaming platforms, government agencies, postal services, and more. WaterISAC has previously reported on past incidents where threat actors targeted water and wastewater utilities in targeted phishing campaigns. 

The FBI obtained these 42,000 domain names and creation dates associated with LabHost from the backend server of the platform. FBI has not validated every domain name, and the list may contain typographical or similar errors from LabHost user input. The information is historical in nature, and the domains may not currently be malicious.

FBI recommends organizations that identify any activity related to these indicators of compromise within their networks act to mitigate or minimize the impact and prepare their environment for incident response.

Original Source: Access the full report below.

Related WaterISAC PIRs: 6, 6.1, 10, 12