Canadian Phishing-as-a-Service Background
In the first half of 2024, the Phishing-as-a-Service scene was rocked by the shutdown of the platform LabHost after several key operating members were arrested by international law enforcement. Following the takedown in April, many of the most prominent PhaaS providers made changes in the way they marketed themselves towards threat actors, slimming down to smaller and more heavily vetted customer bases.
Based on Fortra’s visibility, LabHost’s shutdown had an immediate impact on the phishing threat landscape targeting Canadian financial institutions. LabHost had been one of the most popular providers offering a phishing kit targeting multiple Canadian banking brands through Interac-branded phishing pages and lures. The number of phishing attacks targeting Canadian banks was cut in half in the first three months following LabHost services going offline.
While the drop in Interac phishing volume was significant, it was not as dramatic a drop as predicted. In the months prior to the shutdown, LabHost had accounted for roughly three-fourths of Interac-branded phishing volume. The number of phishing attacks did not shrink to that degree as many of LabHost’s customers rushed to find alternative sources of Interac phishing content. Within this newly developing phishing landscape, Fortra only observed one threat actor advertising themselves nearly as brazenly as LabHost once did: SheByte. Though SheByte hasn’t been the largest family of phishing content targeting Canadian banks yet, it has been notable for its attempt to be seen as the obvious replacement for LabHost’s services.
SheByte Logo/Mascot seen in all materials.
SheByte Threat History & Impact
The threat actor behind SheByte officially branded their services on Telegram in May 2024, teasing their features up until the platform launched in mid-June. Phishing attacks matching SheByte’s Interac phishing kit were observed in extremely small numbers even before LabHost was shuttered, but early activity ramped up promptly when that opportunity presented itself.
SheByte initially offered many of the same features LabHost did, establishing themselves as the logical next platform for customers needing to find a new service.
SheByte has proudly claimed that the operation is run by a single developer. This is a direct response to worries surrounding PhaaS services after LabHost faced complications after individual developers were compromised. Additionally, SheByte claims to keep no logs and use complete end-to-end encryption of stolen information.
Phishing pages matching the profile of SheByte attacks rapidly became a significant portion of the Canadian phishing threat landscape. SheByte accounted for eight percent of phishing attacks leveraging Interac branding in May 2024, while the service was still being tested and in a limited launch. By the full release of the platform in June, SheByte made up 10 percent of the phishing volume.
Interac phishing attacks generated by SheByte platform, 2024-2025.
After peaking in July 2024, the volume of detected phishing attacks matching SheByte declined for four straight months. During this period SheByte faced attacks on their reputation from longtime PhaaS platform Frappo. Volume trends turned around and began to climb in December when the platform began to release their new customizable “v2” phishing pages, even though Canadian-targeted Interac pages would not be added to the page builder until early 2025.
Phishing-as-a-Service Analysis
SheByte offers a single package of premium features for $199 a month, with discounts offered for longer subscription periods. This subscription package grants the user permission to make an unlimited number of phishing attacks using every available static or customizable phishing kit. As of March 2025, customizable phishing pages are available targeting 17 Canadian banks, 4 US-based banks, email providers, telecom companies, toll road collections, and crypto services.
Monthly subscriptions offered by SheByte phishing service.
Further, these premium pages have access to the platform’s LiveRAT admin dashboard and are protected by a premium anti-detection suite. Evasion settings available in the platform allow the threat actor to block specific regions, known VPNs and proxies, and traffic from potential virtual machines. If IP blocking is not enough, multiple options for including a CAPTCHA at the beginning of the phish are available.
LiveRAT performs many of the same tasks that made LabHost’s LabRAT such a well-received scamming tool. Threat actors can monitor visits to their phish in real time in order to intercept MFA authentication codes, request additional information, or prompt victims with custom security questions.
Demonstration of live panel monitoring victim inputs.
The threat actors that migrated to SheByte from LabHost primarily utilize the multi-branded Interac kits targeting 17 Canadian banks simultaneously. A new ‘V2’ version of the Interac kit was released for SheByte’s page builder tool in February 2025, resulting in an observable surge in phishing activity targeting Canadian banks. Several ready-made templates of the Interac phishing package are available, each utilizing a different phishing lure, but SheByte’s page builder allows for further customization by the customer if required.
Interac phishing kit templates.
Indicators of SheByte Interac Content
Trait | Description |
start.php in /go/ directory | Interac landing page in now retired V1 Interac phishing kit. |
{8 randomized alphanumeric characters}.php | Landing page for V2 kits.
Default randomization is not unique for each phish. Likely randomized per template or campaign. Assumed that threat actors can change the name manually in page builder tool. |
Further randomized patterns. | V2 Files utilize random names in a similar fashion to page files. Directories use the same 8 character pattern while from receiver and live RAT files use 7 or 9 character names. |
Screenshot of Interac landing page.