'Lucid' Phishing-as-a-Service Exploits Faults in iMessage, Android RCS
Summary:
Lucid is identified as a significantly impactful and sophisticated Phishing-as-a-Service (PhAAS) platform operated by Chinese-speaking threat actors. This platform targets a vast global landscape, impacting 169 entities across 88 countries. Ranking among prominent PhAAS platforms like Darcula and Lighthouse, Lucid boasts 129 active instances and over 1000 registered domains. Its subscription-based model facilitates large-scale phishing campaigns aimed at harvesting credit card information for financial fraud. Lucid employs automated attack delivery, utilizing customizable templates for phishing websites primarily distributed via SMS-based lures, enhanced by Apple iMessage and Android RCS to bypass SMS spam filters and increase Lucid’s success rate.
The platform incorporates advanced anti-detection and evasion techniques to increase the longevity of the malicious sites, including IP blocking and user-agent filtering, and sports a built-in card generator for efficient validation and exploitation of stolen payment data. The Lucid Phishing-as-a-Service (PhAAS) platform, linked to the group known as Black Technology or XinXin, has been active since 2023, with its operations expanding significantly since its initial local focus. Expected to surge in impact by early 2025, Lucid has become a major source of SMS-based phishing (smishing). Similar to other PhAAS platforms like Lighthouse and Darcula, Lucid uses a shared management system, indicating coordinated attacks by multiple users from rented servers. Analysis shows the US, along with many other countries and organizations, has been heavily targeted by these smishing campaigns, which attackers can customize for specific countries or organizations. The XinXin group is known to sell phishing templates mimicking postal services, delivery companies, toll systems, and tax agencies, alongside the automation tools they sell that simplify phishing website creation and enable large-scale attacks with minimal effort.
Security Officer Comments:
The emergence and operational scale of Lucid underscore the escalating threat posed by Phishing-as-a-Service platforms in the cybercriminal ecosystem. The platform's sophisticated features, including the leveraging of iMessage and RCS to circumvent traditional security measures, highlight the continuous evolution of phishing tactics and an increase in smishing and vishing campaigns. The global reach of Lucid, targeting numerous entities across a wide range of countries, emphasizes the potential for widespread financial damage. The inclusion of a built-in card generator further streamlines the process for threat actors to monetize stolen data, making Lucid a particularly efficient tool for financial cybercrime. The existence of such advanced and readily available PhAAS platforms in the cybercriminal community necessitates a proactive and multi-layered approach to cybersecurity, including enhanced detection capabilities and user education on evolving phishing techniques. The emergence of another sophisticated PhAAS platform like Lucid signifies a growing challenge for cybersecurity professionals and highlights the need for constant adaptation.
Suggested Corrections:
The increase in remote work has increased reliance on email and mobile devices for communication at work. These conditions thereby also increase the risk of personnel being targeted by phishing or spam attacks and thus ransomware and other malware infections. End users should adhere to the following recommendations:
https://www.darkreading.com/threat-intelligence/lucid-phishing-exploits-imessage-android-rcs
https://catalyst.prodaft.com/public/report/lucid/overview
Lucid is identified as a significantly impactful and sophisticated Phishing-as-a-Service (PhAAS) platform operated by Chinese-speaking threat actors. This platform targets a vast global landscape, impacting 169 entities across 88 countries. Ranking among prominent PhAAS platforms like Darcula and Lighthouse, Lucid boasts 129 active instances and over 1000 registered domains. Its subscription-based model facilitates large-scale phishing campaigns aimed at harvesting credit card information for financial fraud. Lucid employs automated attack delivery, utilizing customizable templates for phishing websites primarily distributed via SMS-based lures, enhanced by Apple iMessage and Android RCS to bypass SMS spam filters and increase Lucid’s success rate.
The platform incorporates advanced anti-detection and evasion techniques to increase the longevity of the malicious sites, including IP blocking and user-agent filtering, and sports a built-in card generator for efficient validation and exploitation of stolen payment data. The Lucid Phishing-as-a-Service (PhAAS) platform, linked to the group known as Black Technology or XinXin, has been active since 2023, with its operations expanding significantly since its initial local focus. Expected to surge in impact by early 2025, Lucid has become a major source of SMS-based phishing (smishing). Similar to other PhAAS platforms like Lighthouse and Darcula, Lucid uses a shared management system, indicating coordinated attacks by multiple users from rented servers. Analysis shows the US, along with many other countries and organizations, has been heavily targeted by these smishing campaigns, which attackers can customize for specific countries or organizations. The XinXin group is known to sell phishing templates mimicking postal services, delivery companies, toll systems, and tax agencies, alongside the automation tools they sell that simplify phishing website creation and enable large-scale attacks with minimal effort.
Security Officer Comments:
The emergence and operational scale of Lucid underscore the escalating threat posed by Phishing-as-a-Service platforms in the cybercriminal ecosystem. The platform's sophisticated features, including the leveraging of iMessage and RCS to circumvent traditional security measures, highlight the continuous evolution of phishing tactics and an increase in smishing and vishing campaigns. The global reach of Lucid, targeting numerous entities across a wide range of countries, emphasizes the potential for widespread financial damage. The inclusion of a built-in card generator further streamlines the process for threat actors to monetize stolen data, making Lucid a particularly efficient tool for financial cybercrime. The existence of such advanced and readily available PhAAS platforms in the cybercriminal community necessitates a proactive and multi-layered approach to cybersecurity, including enhanced detection capabilities and user education on evolving phishing techniques. The emergence of another sophisticated PhAAS platform like Lucid signifies a growing challenge for cybersecurity professionals and highlights the need for constant adaptation.
Suggested Corrections:
The increase in remote work has increased reliance on email and mobile devices for communication at work. These conditions thereby also increase the risk of personnel being targeted by phishing or spam attacks and thus ransomware and other malware infections. End users should adhere to the following recommendations:
- Do not open emails or download software from untrusted sources.
- Do not click on links or attachments in emails that come from unknown senders.
- Do not supply passwords, personal information, or financial information via email to anyone (sensitive information is also used for double extortion).
- Always verify the email sender's email address, name, and domain.
- Protect devices using antivirus, anti-spam, and anti-spyware software.
- Report phishing emails to the appropriate security or IT staff immediately.
https://www.darkreading.com/threat-intelligence/lucid-phishing-exploits-imessage-android-rcs
https://catalyst.prodaft.com/public/report/lucid/overview