A newly discovered phishing-as-a-service (PhaaS) platform, known as Lucid, has been found to target 169 entities across 88 countries. This platform utilizes smishing messages, which are propagated through Apple iMessage and Rich Communication Services (RCS) for Android devices.

What sets Lucid apart is its ability to leverage legitimate communication platforms to evade traditional SMS-based detection mechanisms, making it a formidable tool for cybercriminals.

According to a technical report by Swiss cybersecurity company PRODAFT, Lucid’s scalable and subscription-based model enables large-scale phishing campaigns. These campaigns are designed to harvest credit card details for financial fraud.

PRODAFT noted that Lucid exploits Apple iMessage and Android’s RCS technology, effectively bypassing traditional SMS spam filters and significantly increasing delivery and success rates.

Lucid is believed to be the work of a Chinese-speaking hacking group known as the XinXin group (also referred to as Black Technology). The primary targets of these phishing campaigns are Europe, the United Kingdom, and the United States, with the intention of stealing credit card data and personally identifiable information (PII).

The threat actors behind Lucid have also developed other PhaaS platforms, including Lighthouse and Darcula. Darcula has been updated with the capability to clone any brand’s website, creating a phishing version. The developer of Lucid, codenamed LARVA-242, is a key figure in the XinXin group.

All three PhaaS platforms share overlaps in templates, target pools, and tactics, indicating a thriving underground economy. Chinese-speaking actors are leveraging Telegram to advertise their services on a subscription basis for profit-driven motives.

Phishing campaigns using these services often impersonate postal services, courier companies, toll payment systems, and tax refund agencies. They employ convincing phishing templates to deceive victims into providing sensitive information.

The large-scale activities are powered by iPhone device farms and mobile device emulators running on Windows systems. These systems send hundreds of thousands of scam messages containing bogus links in a coordinated fashion. The phone numbers to be targeted are acquired through various methods, including data breaches and cybercrime forums.

PRODAFT explained that to circumvent iMessage’s link-clicking restrictions, the attackers employ ‘please reply with Y’ techniques to establish two-way communication. For Google’s RCS filtering, they constantly rotate sending domains/numbers to avoid pattern recognition.

For iMessage, this involves creating temporary Apple IDs with impersonated display names, while RCS exploitation leverages carrier implementation inconsistencies in sender verification.

Besides offering automation tools for creating customizable phishing websites, the pages themselves incorporate advanced anti-detection and evasion techniques. These include IP blocking, user-agent filtering, and time-limited single-use URLs.

Lucid also supports real-time monitoring of victim activity and records every interaction with the phishing links via a panel. This allows its customers to extract the entered information. Credit card details submitted by victims are subject to additional verification steps. The panel is built using the open-source Webman PHP framework.

PRODAFT revealed that the Lucid PhaaS panel has exposed a highly organized and interconnected ecosystem of phishing-as-a-service platforms operated by Chinese-speaking threat actors, primarily under the XinXin group.

The XinXin group develops and utilizes these tools, profiting from selling stolen credit card information while actively monitoring and supporting the development of similar PhaaS services.

Source Link