A brand new subtle phishing-as-a-service (PhaaS) platform known as Lucid has focused 169 entities in 88 international locations utilizing smishing messages propagated through Apple iMessage and Wealthy Communication Providers (RCS) for Android.
Lucid’s distinctive promoting level lies in its weaponizing of official communication platforms to sidestep conventional SMS-based detection mechanisms.
“Its scalable, subscription-based mannequin permits cybercriminals to conduct large-scale phishing campaigns to reap bank card particulars for monetary fraud,” Swiss cybersecurity firm PRODAFT mentioned in a technical report shared with The Hacker Information.
“Lucid leverages Apple iMessage and Android’s RCS know-how, bypassing conventional SMS spam filters and considerably growing supply and success charges.”
Lucid is assessed to be the work of a Chinese language-speaking hacking crew known as the XinXin group (aka Black Know-how), with the phishing campaigns primarily focusing on Europe, the UK, and the US with an intent to steal bank card knowledge and personally identifiable data (PII).
The menace actors behind the service, extra importantly, have developed different PhaaS platforms like Lighthouse and Darcula, the latter of which has been up to date with capabilities to clone any model’s web site to create a phishing model. The developer of Lucid is a menace actor codenamed LARVA-242, who can also be a key determine within the XinXin group.
All three PhaaS platforms share overlaps in templates, goal swimming pools, and ways, alluding to a flourishing underground financial system the place Chinese language-speaking actors are leveraging Telegram to promote their warez on a subscription foundation for profit-driven motives.
Phishing campaigns counting on these providers have been discovered to impersonate postal providers, courier corporations, toll fee techniques, and tax refund companies, using convincing phishing templates to deceive victims into offering delicate data.
The big-scale actions are powered on the backend through iPhone machine farms and cellular machine emulators working on Home windows techniques to ship a whole bunch of 1000’s of rip-off messages containing bogus hyperlinks in a coordinated trend. The cellphone numbers to be focused are acquired by means of numerous strategies equivalent to data breaches and cybercrime boards.
“For iMessage’s link-clicking restrictions, they make use of ‘please reply with Y’ strategies to ascertain two-way communication,” PRODAFT defined. “For Google’s RCS filtering, they continuously rotate sending domains/numbers to keep away from sample recognition.”
“For iMessage, this includes creating momentary Apple IDs with impersonated show names, whereas RCS exploitation leverages service implementation inconsistencies in sender verification.”
In addition to providing automation instruments that simplify the creation of customizable phishing web sites, the pages themselves incorporate superior anti-detection and evasion strategies like IP blocking, user-agent filtering, and time-limited single-use URLs.
Lucid additionally helps the power to observe sufferer exercise and report each single interplay with the phishing hyperlinks in real-time through a panel, permitting its prospects to extract the entered data. Bank card particulars submitted by victims are subjected to further verification steps. The panel is constructed utilizing the open-source Webman PHP framework.
“The Lucid PhaaS panel has revealed a extremely organized and interconnected ecosystem of phishing-as-a-service platforms operated by Chinese language-speaking menace actors, primarily beneath the XinXin group,” the corporate mentioned.
“The XinXin group develops and makes use of these instruments and income from promoting stolen bank card data whereas actively monitoring and supporting the event of comparable PhaaS providers.”
It is value noting that the findings from PRODAFT mirror that of Palo Alto Networks Unit 42, which just lately known as out unspecified menace actors for using the area sample “com-” to register over 10,000 domains for propagating numerous SMS phishing scams through Apple iMessage.
The event comes as Barracuda warned of a “huge spike” in PhaaS assaults in early 2025 utilizing Tycoon 2FA, EvilProxy, and Sneaky 2FA, with every service accounting for 89%, 8%, and three% of all of the PhaaS incidents, respectively.
“Phishing emails are the gateway for a lot of assaults, from credential theft to monetary fraud, ransomware, and extra,” Barracuda security researcher Deerendra Prasad mentioned. “The platforms that energy phishing-as-a-service are more and more advanced and evasive, making phishing assaults each tougher for conventional security instruments to detect and extra highly effective when it comes to the harm they will do.”
