Researchers expose SheByte, a Phishing-as-a-Service platform targeting North American banks
- Marijan Hassan - Tech Journalist
- 3 hours ago
- 2 min read
A new report by cybersecurity firm Fortra has identified SheByte as the latest rising star in the cybercrime underground — a Phishing-as-a-Service (PhaaS) platform aggressively targeting banks, email providers, telecom firms, and more across the U.S. and Canada.
According to the research, SheByte has quickly filled the void left by LabHost, a now-defunct phishing platform seized by U.S. and European law enforcement in April 2024. Like its predecessor, SheByte operates on a subscription model and markets its credential-stealing tools via encrypted Telegram channels. The platform officially launched in June 2024 and has steadily grown in popularity among cybercriminals, despite early criticism from rival PhaaS operators.
At $199 per month, subscribers gain access to SheByte’s full suite of phishing kits, including customizable pages impersonating 17 Canadian banks and four U.S. financial institutions. These include major brands like HSBC, TD Bank, RBC, ScotiaBank, and CIBC, among others. The phishing kits replicate legitimate login pages and are designed to harvest sensitive user data such as credentials, MFA codes, and security question responses.
A standout feature of the service is LiveRAT, an administrative tool modeled after LabHost’s popular LabRAT, enabling real-time victim interaction. With it, threat actors can watch visits to phishing pages live, intercept two-factor authentication codes as they are entered, and trigger additional prompts for personal information.
SheByte also offers an anti-detection suite that allows users to block known VPNs, proxies, and virtual machines, or challenge visitors with CAPTCHAs before loading the phishing content. This level of customization and stealth has made the service particularly attractive to attackers looking to evade security filters.
Of note is SheByte’s targeted use of Interac-branded phishing pages — the hallmark of LabHost’s campaigns in Canada. Interac, the country’s top payments processor, is used by more than 300 institutions and handles over 18 million transactions daily. The addition of Interac lures, paired with an upgraded “v2” of SheByte’s phishing kits, fueled a major surge in adoption late last year.
The Fortra report adds that SheByte’s operations appear to be run by a lone developer, who has boasted about building the platform solo. Despite its modest origin, SheByte now offers a professionalized and scalable phishing toolkit, underscoring how quickly the PhaaS landscape adapts to takedowns.
As law enforcement continues to crack down on major cybercrime services, SheByte’s rise illustrates the cat-and-mouse game between authorities and a market that’s becoming more agile, decentralized, and difficult to dismantle.
