Canadian Phishing-as-a-Service Background
The Phishing-as-a-Service scene was rocked by the shutdown of the platform LabHost after several key operating members were arrested by international law enforcement. Following the takedown back in April 2024, many of the most prominent PhaaS providers made changes in the way they marketed themselves towards threat actors, slimming down to smaller and more heavily vetted customer bases.
Based on Fortra’s visibility, LabHost’s shutdown had an immediate impact on the phishing threat landscape targeting Canadian financial institutions. LabHost had been one of the most popular providers offering a phishing kit targeting multiple Canadian banking brands through Interac-branded phishing pages and lures. The number of phishing attacks targeting Canadian banks was cut in half in the first three months following LabHost services going offline.
While the drop in Interac phishing volume was significant, it was not as dramatic a drop as predicted. In the months prior to the shutdown, LabHost had accounted for roughly three-fourths of Interac-branded phishing volume. The number of phishing attacks did not shrink to that degree as many of LabHost’s customers rushed to find alternative sources of Interac phishing content. Within this newly developing phishing landscape, Fortra only observed one threat actor advertising themselves nearly as brazenly as LabHost once did: SheByte. Though SheByte hasn’t been the largest family of phishing content targeting Canadian banks yet, it has been notable for its attempt to be seen as the obvious replacement for LabHost’s services.
SheByte Threat History & Impact
The threat actor behind SheByte officially branded their services on Telegram in May 2024, teasing their features up until the platform launched in mid-June. Phishing attacks matching SheByte’s Interac phishing kit were observed in extremely small numbers even before LabHost was shuttered, but early activity ramped up promptly when that opportunity presented itself.
SheByte initially offered many of the same features LabHost did, establishing themselves as the logical next platform for customers needing to find a new service.
SheByte has proudly claimed that the operation is run by a single developer. This is a direct response to worries surrounding PhaaS services after LabHost faced complications after individual developers were compromised. Additionally, SheByte claims to keep no logs and use complete end-to-end encryption of stolen information.
Phishing pages matching the profile of SheByte attacks rapidly became a significant portion of the Canadian phishing threat landscape. SheByte accounted for eight percent of phishing attacks leveraging Interac branding in May 2024, while the service was still being tested and in a limited launch. By the full release of the platform in June, SheByte made up 10 percent of the phishing volume.
After peaking in July 2024, the volume of detected phishing attacks matching SheByte declined for four straight months. During this period SheByte faced attacks on their reputation from longtime PhaaS platform Frappo. Volume trends turned around and began to climb in December when the platform began to release their new customizable “v2” phishing pages, even though Canadian-targeted Interac pages would not be added to the page builder until early 2025.
In their blog article, Fortra’s team takes a deep dive into the Phishing-as-a-Service Analysis. If the topic got caught you interest, read the full article here.
_______
If this information is helpful to you, read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query.
Content curated by the team of COMPUTER 2000 on the basis of news in reputable media and marketing materials provided by our partners, companies, and other vendors.
Follow us to learn more
CONTACT US
Let’s walk through the journey of digital transformation together.
