A phishing-as-a-service platform (Phaas) named “Lucid” targeted 169 entities in 88 countries using well-designed messages sent to Imessage (iOS) and RCS (Android).
Lucid, which has been exploited by Chinese cybercriminals known as the “ Xinxin group ‘since mid-2023, has been sold to other threat stakeholders via a subscription-based model that gives them access to more than 1000 phishing areas, phlinging sites generated automatically tailor-made and pro-grade spam tools.
Prodaft researchers note that Xinxin also used the Darcula V3 platform for its operations, which indicates a potential connection between the two Phaas platforms.
Lucid subscriptions are sold via a dedicated telegram channel (2,000 members), and customers have access via licenses on a weekly basis.
Massive phishing operation
The threat group claims to send 100,000 SMIMS messages daily via rich communication services (RCS) or Apple Imessage, which are encrypted from start to finish, allowing them to escape spam filters.
“The platform uses an automated attack delivery mechanism, deployment of customizable phishing websites mainly distributed via SMS lures”, ” Explain the Prodaft.
“To improve efficiency, Lucid uses Apple Imessage and Android technology, bypassing traditional spam SMS filters and considerably increasing delivery and success rates.”
In addition to escape, the use of these messages also makes the operation profitable, as sending SMS to comparable volumes can have significant costs.
Lucid operators use large -scale iOS and Android devices to send text messages. For Imessage, Lucid uses temporary Apple IDs. For RCS, threat stakeholders use specific implementation defects to the carrier in the validation of the sender.
Source: PRODEAF
In a video shared by Prodaft, you can see threatening actors carrying out phishing campaigns on the move of cars, likely to increase operational security and prevent the application of laws and mobile carriers from determining their location.
Mobile phishing messages have generally usual, tax alerts or missed toll payments, with personalized logos / brand, the appropriate language to correspond to target demography and filtering victims of geolocation.
The victims by clicking on phishing links are redirected to false pages of imitating destination of toll agencies and parking from the government of the state or private entities, such as USPS, DHL, Royal Mail, Fedex, Revolut, Amazon, American Express, HSBC, E-ZPASS, Sunpass, Transport for London, and more.
Source: PRODEAF
Phishing pages are designed to steal personal and financial information, including complete names, email addresses, physical addresses and credit card details.
The platform includes an integrated credit card validator so that the actors can test the stolen cards. Valid cards are sold to other cybercriminals or used directly for fraud.
Platforms like Lucid lower the entrance barrier to cybercrime operations and grant a certain level of quality to phishing attempts that increase the chances of success for attackers.
When combined with extended and resilient infrastructure, threat stakeholders can take advantage of it to carry out mass and very organized phishing campaigns.
When you receive a message on your device, urging you to follow an integrated link or respond to the message, just ignore it. Instead, log in directly to the real service and check alerts or waiting invoices.
