The closure of LabHost, a well-known phishing-as-a-service (PhaaS) platform, resulted in a significant shift in cyber threats targeting Canadian financial institutions. LabHost was particularly infamous for its Interac-branded phishing kits, which accounted for about three-fourths of phishing attempts. Following its shutdown, there was a notable decrease in phishing attacks against Canadian banks in the months that followed.
Despite the anticipated sharp decline in phishing activities, a new player, SheByte, emerged on the scene. Officially launched in mid-June 2024, SheByte quickly gained traction as the preferred platform for cybercriminals who previously relied on LabHost. The service began teasing its features on Telegram in May and had already made an impact by June, representing 8% of Interac-branded phishing attacks during its initial launch phase.
SheByte differentiated itself with its bold marketing strategy, reminiscent of LabHost’s tactics. The platform claimed to be operated by a single developer, addressing concerns about operational security that had arisen after key members of other services were arrested. SheByte boasted features such as no data logging and end-to-end encryption of stolen information, aiming to provide a safer haven for cybercriminals.
Offering a premium subscription package for $199 per month, with discounts for longer subscription periods, SheByte allowed unlimited phishing attacks using all provided kits. By March 2025, SheByte expanded its offerings to include customizable phishing pages targeting not only Canadian banks but also US banks, email providers, telecom companies, toll roads, and crypto services. The platform’s LiveRAT admin dashboard, similar to LabHost’s successful LabRAT tool, enabled real-time monitoring and manipulation of phishing site visitors.
While SheByte experienced a temporary decline in activity from July to October 2024, possibly due to attacks from competitors like Frappo, its phishing volume began to rise again with the introduction of new ‘v2’ phishing pages in December. According to Fortra, these updated kits, fully integrating Interac phishing by early 2025, saw a surge in activity. The ‘V2’ versions of SheByte’s Interac kits introduced more dynamic elements, allowing for greater customization and potentially enhancing the effectiveness of phishing campaigns.
From a technical standpoint, SheByte’s phishing content exhibited several indicators, including URL structure and file naming conventions that allowed for manual changes by users. Overall, SheByte has established itself as a prominent player in the PhaaS market, filling the void left by LabHost and swiftly adapting to the evolving needs of cybercriminals. Despite facing challenges, the platform’s strategic decisions and unique offerings suggest a lasting presence in the Canadian cyber threat landscape.
Moving forward, indicators of compromise (IOCs) such as the URL pattern for landing pages and the use of random file names provide insight into SheByte’s operations. The platform’s innovative approach and adaptability indicate that it will continue to be a significant force in the realm of cyber threats.