A recent investigation has unveiled a sophisticated phishing-as-a-service (PhaaS) platform named Lucid, which is reportedly targeting 169 entities across 88 countries. The modus operandi involves smishing—phishing via SMS—leveraging Apple iMessage and Rich Communication Services (RCS) on Android devices. This approach enables cybercriminals to exploit legitimate communication channels, effectively bypassing conventional SMS detection systems.
According to a technical report from the Swiss cybersecurity firm PRODAFT, Lucid’s subscription-based model allows for large-scale phishing campaigns aimed at harvesting credit card information for illicit financial gain. The ability to utilize established messaging platforms enhances the success rate of these attacks, making it harder for traditional security mechanisms to identify and mitigate them.
Lucid’s campaigns primarily focus on targets in Europe, the United States, and the United Kingdom. The platform is suspected to be operated by a Chinese-speaking hacking group known as XinXin (or Black Technology), specializing in the theft of sensitive data such as credit card credentials and personally identifiable information (PII).
The operators of Lucid have also been linked to other PhaaS platforms, including Lighthouse and Darcula, the latter of which has advanced phishing capabilities allowing for the cloning of legitimate websites. The individual behind Lucid is identified as LARVA-242, a notable figure within the XinXin group, indicating a more extensive and organized network of cybercriminal activities.
This ecosystem of phishing services utilizes various templates and targeting strategies, indicating a thriving underground economy where Chinese-speaking actors market their services through platforms like Telegram. Phishing campaigns facilitated by these services have been found to impersonate recognizable entities, such as postal services, courier companies, and tax agencies, using convincing tactics to deceive victims into revealing personal data.
Data breaches and purchases from cybercriminal forums provide the phone numbers targeted in these operations, enabling the mass distribution of fraudulent messages. iMessage-related phishing employs techniques such as establishing two-way communication through prompts for user replies, while RCS exploitation capitalizes on inconsistencies in carrier sender verification protocols.
Additionally, the infrastructure supporting Lucid is reportedly powered by iPhone device farms and mobile emulators operating on Windows, allowing attackers to deploy hundreds of thousands of malicious messages simultaneously. Enhanced automation tools simplify the creation of phishing websites, which incorporate advanced evasion techniques like IP blocking and time-limited URLs, further complicating detection efforts.
The panel utilized by Lucid offers real-time monitoring of victim interactions, enabling attackers to capture sensitive information as it is entered. The information gathered, particularly credit card details, undergoes additional scrutiny, showcasing the operational sophistication of these platforms.
These findings work in conjunction with alerts from cybersecurity organizations like Palo Alto Networks, which have noted a significant uptick in PhaaS-related activities, emphasizing the need for vigilance among businesses. Researchers warn that phishing emails serve as gateways to a plethora of cyber threats, from credential theft to ransomware attacks, showcasing the evolving complexity of phishing tactics that make detection increasingly difficult for conventional security tools.
