Home » Five arrested over global phishing scam that allegedly claimed about 94,000 Australian victims

Five arrested over global phishing scam that allegedly claimed about 94,000 Australian victims

Five Australians are among 39 individuals who have been arrested in relation to an alleged global phishing scam that targeted tens of thousands of people, the Australian Federal Police said today.

Police said the scam involved 10,000 cybercriminals from around the world who used the platform LabHost to trick victims into providing their personal information, such as online banking logins, credit card details and passwords.

Among the victims were 94,000 Australians, they said.

Police arrested a man from Melbourne and a man from Adelaide, who they allege were both LabHost users, and charged them with cybercrime offences.

They also arrested three other men in Melbourne on drug offences.

Alleged offenders used ‘persistent’ phishing attacks: police

Police said they seized items as part of raids at multiple properties across Australia.(Supplied: Australian Federal Police)

AFP Acting Assistant Commissioner for Cyber Command Chris Goldsmid said the Joint Policing Cybercrime Coordination Centre had made the arrests following an international “take down of a cybercrime platform”.

“LabHost was marketed as a one-stop-shop for phishing,” he said.

“Phishing is a technique used by cybercriminals to trick victims into providing personal information… in order to commit criminal offences or steal money.

“This is often done by sending texts and emails to victims containing links to fraudulent websites impersonating well-known organisations.”

The AFP alleges LabHost was impersonating more than 170 fraudulent websites, such as “reputable banks, government entities and other major organisations, to trick unsuspecting victims into believing they were the legitimate websites”.

“When victims followed the link, cybercriminals could obtain a range of sensitive information, such as one-time pins, usernames and passwords, security questions and pass phrases,” the AFP said.

“Cybercriminals could then use victims’ personal information to access legitimate enterprises, such as financial institutions, where they could steal funds from victims’ bank accounts.”

LabHost allegedly originated in Canada, the AFP said, to initially target North America. 

It then expanded to include the United Kingdom and Ireland before going global.

Police said Australian criminals were among its three top user countries.

As part of the deal offered to users, cybercriminals would sign up to the website at the cost of $270 per month and would in return be given “phishing kits”.

Police said those kits included “the infrastructure to host phishing websites, email and text content generation and campaign overview services, enabling them to effectively exploit their victims”.

Phishing ‘a serious threat’

People, including police, gather around an open car tray viewing blurred items outside a house.

Police issued 22 search warrants across Australia.(Supplied: Australian Federal Police)

The international operation involved 200 officers from New South Wales, Victoria, Queensland, Western Australia and the AFP.

Twenty-two search warrants were executed across five states, the AFP said.

This included 14 in Victoria, two in Queensland, three in NSW, one in South Australia and two in Western Australia.

Last year, Scamwatch received 108,000 reports of phishing attacks, to the tune of $26 million.

“LabHost alone had the potential to cause $28 million in harm to the Australians through the sale of stolen Australian credentials,” Acting Assistant Commissioner Goldsmid said.

“In addition to financial losses, victims of phishing attacks are subject to ongoing security risks and criminal offending, including identity takeovers, extortion and blackmail.”

He warned those using LabHost that they should not expect to “remain anonymous”.

“We are working to identify anyone who has used this platform to target innocent victims,” he said.

The AFP urged individuals to access information online to help them spot a phishing scam, including videos available on their YouTube channel.

Victims can contact police to report the attack, or visit cyber.gov.au.