Incognito May 2024 — Phishing Service LabHost Taken Down

Welcome to the May 2024 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• Phishing. Some potentially positive news? 
• Recommended reads, including “Another Delay – Google Third-Party Cookies to Stay Until 2025.”
• Q&A: Is there any way to keep my address private?

One of the largest phishing-as-a-service platforms was taken down by law enforcement last month. 

That’s good news for anyone who’s seen an uptick in phishing attacks lately.

The bad news? There are plenty of other platforms out there. Add gen AI into the mix, and phishing isn’t going away anytime soon. 

“Stay Safe and Good Spamming”

That’s what LabHost, a phishing-as-a-service (PhaaS) platform, wished criminals at the end of a video tutorial on how to use its site for phishing. 

PhaaS: A business model where skilled criminals rent phishing tools and knowledge to other (usually less-skilled) criminals. 

Taken down by law enforcement last month, LabHost gave criminals the ability to customize phishing and smishing (SMS phishing) pages and imitate banks and other organizations (like DHL and Shopify). In case users ran into any issues, there was even customer service support. 

LabHost’s biggest selling point was an integrated campaign management tool called LabRat that let criminals monitor the success of their phishing campaigns in real time. LabRat also helped hackers capture credentials and two-factor authentication codes. 

Since its launch in 2021, LabHost made more than $1 million from membership fees alone (the average monthly subscription cost was $249), and the authorities found more than 1 million passwords, 480,000 bank card numbers, and 64,000 PIN numbers on LabHost’s infrastructure. 

LabHost Gone, Many More Remain 

From “Caffeine” (with an “intuitive” interface and a relatively low price tag) and “Greatness” (which focuses primarily on phishing scams that impersonate Microsoft), there’s no shortage of PhaaS platforms.

And while some target businesses, others, like “Darcula” (known for being able to bypass SMS firewalls that classify malicious texts as such), are explicitly designed to trick consumers. 

Don’t Forget Generative AI

Wannabe phishers don’t even need to speak their target’s language any more – they can ask generative AI to write a customized message in whatever language they want. 

We can already see gen AI’s impact on phishing scams.

The linguistic complexity of emails has increased by 17% since ChatGPT was released and emails have also gotten longer and more realistic looking. 

Not Just Text-Based

Phishing emails, texts, and social media messages remain popular, but criminals are increasingly experimenting with voice phishing, too. 

As detailed on the LastPass blog, a criminal used an audio deepfake of LastPass CEO Karim Toubba to bombard a LastPass employee with texts, calls, and at least one voicemail message that sounded like it came from Touba.

Luckily, the employee realized it was a phishing attempt. 

Brand Impersonations to Watch Out for

Criminals love to impersonate brands in their phishing attacks. 

Every quarter, the cybersecurity company Checkpoint releases a list of the most impersonated brands in phishing attacks.

Can you guess what the most impersonated brand was in Q1 2024? 

If you said Microsoft, you’re correct.  

The multinational computer tech company appeared in 38% of phishing attacks spotted by Checkpoint in the first three months of 2024. 

Other brands criminals have favored so far this year include the following:

• 2. Google
• 3. LinkedIn
• 4. Apple
• 5. DHL
• 6. Amazon
• 7. Facebook
• 8. Roblox
• 9. Wells Fargo
• 10. Airbnb  

Do: Keep an eye on these reports, as the brands that are most impersonated do change. For example, in Q3 2023, the top impersonated brand was not Microsoft (as you might expect) but Walmart. 

How to Avoid Phishing Scams

Phishing scams are evolving, but the best way to avoid them is still the same.

Don’t click on any suspicious links, don’t respond to unexpected emails, and use multi-factor authentication (preferably a physical security key). 

Stay on top of phishing trends. Three you may not be aware of: 

• QR code attacks (aka “quishing”) are becoming more common.
• Criminals are targeting individuals through several communication channels, for example, sending a phishing email after a fake phone call (here’s how this plays out in real life).
• Malware attachments are decreasing in popularity compared to malicious links, quishing, and “payloadless” social engineering (that trick you into sharing information). 

We’d Love to Hear Your Privacy Stories, Advice and Requests

Do you have any privacy stories you’d like to share or ideas on what you’d like to see in Incognito going forward? 

Don’t keep them private!

We’d really love to hear from you this year. Drop me a line at laura.martisiute@joindeleteme.com.  

I’m also keen to hear any feedback you have about this newsletter.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

House Passed Fourth Amendment Is Not for Sale Act

Originally introduced in the Senate in 2021 by Senator Ron Wyden, the Fourth Amendment Is Not for Sale Act passed the U.S. House of Representatives. If made into law, the bill would require government agencies to get a warrant before buying data from third parties. The White House opposes the bill, fearing it will negatively impact the intelligence community. 

AT&T Says 73M Customers’ Personal Information Compromised

AT&T has notified 73 million former and current customers that their personal data, including Social Security numbers and account information, was stolen. The stolen data seems to be from a 2019 breach. The leak appears to have first been discovered in 2021 when hackers said they’d put up AT&T customers’ data for sale. The data was found on the dark web in March 2024. 

Another Delay – Google Third-Party Cookies to Stay Until 2025

Google has delayed its shift away from third-party cookies for the third time. This time, it’s to address feedback and regulatory reviews, primarily from the UK’s Competition and Markets Authority (CMA). Regulators want to be sure Google’s new tools are not anti-competitive. The CMA needs time to review industry tests’ results that will be available by the end of June. 

US Wireless Carriers Get FCC Fine for Illegal Location Sharing

The Federal Communications Commission fined four major US wireless carriers (T-Mobile, AT&T, Verizon, and Sprint) almost $200 million for illegally sharing access to their customers’ real-time location information. The information was shared, without customers’ consent, with “aggregators,” who then shared it again with third-party location-based service providers.

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: How can I request to delete the personal information that organizations hold about me?

A: If you live in the US, you only technically have the right to ask organizations to delete your personal information if you live in a state with a consumer data privacy protection law. 

That said, it never hurts to ask – some companies honor deletion requests regardless of where you live. 

Even if you’re unable to ask an organization to delete your data, you can, depending on the data in question and who holds it, at least request to see and correct it. 

For example, the Privacy Act of 1974 lets you ask federal agencies to see and amend records they hold about you (we went into greater detail about this in our last issue of Incognito); the Health Insurance Portability and Accountability Act lets you access your medical records held by healthcare providers; and the Family Educational Rights and Privacy Act lets parents and students see and amend their educational records. 

Q: Is there any way to keep my address private?

A: Keep it private completely? Probably not – especially if you own a place. 

But you can reduce how many times your address is linked to your name and how often it appears when someone looks up your name. 

The first thing you should do is try to remove your address from wherever it appears online. You can follow our guide on how to do that. 

Then, avoid giving out your address to prevent it from leaking again. 

Get a UPS or PO box address that you can share with anyone who asks for your address instead of your real address. 

You might have to share your real address in some instances, like when you’re getting your driver’s license or opening up an account with a bank, though some people have reported still being able to use a UPS address in these cases (bank, driver’s license). 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.