Phishing-as-a-service (PaaS) platforms like Lucid have emerged as significant cyber threats because they are highly sophisticated, have been used in large-scale phishing campaigns in 88 countries, and have been compromised by 169 entities. As part of this platform, sophisticated social engineering tactics are employed to deliver misleading messages to recipients, utilising iMessage (iOS) and RCS (Android) so that they are duped into divulging sensitive data.
In general, telecom providers can minimize SMS-based phishing, or smishing, by scanning and blocking suspicious messages before they reach their intended recipients. However, with the development of internet-based messaging services such as iMessage (iOS) and RCS (Android), phishing prevention has become increasingly challenging.
There is an end-to-end encryption process used on these platforms, unlike traditional cellular networks, that prevents service providers from being able to detect or filter malicious content.
Using this encryption, the Lucid PhaaS platform has been delivering phishing links directly to victims, evading detection and allowing for a significant increase in attack effectiveness.
To trick victims into clicking fraudulent links, Lucid orchestrates phishing campaigns designed to mimic urgent messages from trusted organizations such as postal services, tax agencies, and financial institutions. As a result, the victims are tricked into clicking fraudulent links, which redirect them to carefully crafted fake websites impersonating genuine platforms, causing them to be deceived.
Through Lucid, phishing links are distributed throughout the world that direct victims to a fraudulent landing page that mimics official government agencies and well-known private companies. A deceptive site impersonating several entities, for example, USPS, DHL, Royal Mail, FedEx, Revolut, Amazon, American Express, HSBC, E-ZPass, SunPass, and Transport for London, creates a false appearance of legitimacy as a result.
It is the primary objective of phishing websites to obtain sensitive personal and financial information, such as full names, email addresses, residential addresses, and credit card information, by using phishing websites. This scam is made more effective by the fact that Lucid’s platform offers a built-in tool for validating credit cards, which allows cybercriminals to test stolen credit card information in real-time, thereby enhancing the effectiveness of the scam.
By offering an automated and highly sophisticated phishing infrastructure that has been designed to reduce the barrier to entry for cybercriminals, Lucid drastically lowers the barrier to entry for cybercriminals. Valid payment information can either be sold on underground markets or used directly to make fraudulent transactions. Through the use of its streamlined services, attackers have access to scalable and reliable platforms for conducting large-scale phishing campaigns, which makes fraudulent activities easier and more efficient.
With the combination of highly convincing templates, resilient infrastructure, and automated tools, malicious actors have a higher chance of succeeding. It is therefore recommended that users take precautionary measures when receiving messages asking them to click on embedded links or provide personal information to mitigate risks.
Rather than engaging with unsolicited requests, individuals are advised to check the official website of their service provider and verify if they have any pending alerts, invoices, or account notifications through legitimate channels to avoid engaging with such unsolicited requests. Cybercriminals have become more adept at sending hundreds of thousands of phishing messages in the past year by utilizing iPhone device farms and emulating iPhone devices on Windows systems. These factors have contributed to the scale and efficiency of these operations.
As Lucid's operators take advantage of these adaptive techniques to bypass security filters relating to authentication, they are able to originate targeted phone numbers from data breaches and cybercrime forums, thus further increasing the reach of these scams.
A method of establishing two-way communication with an attacker via iMessage can be accomplished using temporary Apple IDs with falsified display names in combination with a method called "please reply with Y". In doing so, attackers circumvent Apple's link-clicking constraints by creating fake Apple IDs.
It has been found that the attackers are exploiting inconsistencies in carrier sender verification and rotating sending domains and phone numbers to evade detection by the carrier.
Furthermore, Lucid's platform provides automated tools for creating customized phishing sites that are designed with advanced evasion mechanisms, such as IP blocking, user-agent filtering, and single-use cookie-limited URLs, in addition to facilitating large-scale phishing attacks.
It also provides real-time monitoring of victim interaction via a dedicated panel that is constructed on a PHP framework called Webman, which allows attackers to track user activity and extract information that is submitted, including credit card numbers, that are then verified further before the attacker can exploit them.
There are several sophisticated tactics Lucid’s operators utilize to enhance the success of these attacks, including highly customizable phishing templates that mimic the branding and design of the companies they are targeting. They also have geotargeting capabilities, so attacks can be tailored based on where the recipient is located for increased credibility. The links used in phishing attempts can not be analyzed by cybersecurity experts if they expire after an attack because they expire.
Using automated mobile farms that can execute large-scale phishing campaigns with minimal human intervention, Lucid can bypass conventional security measures without any human intervention, which makes Lucid an ever-present threat to individuals and organizations worldwide. As phishing techniques evolve, Lucid's capabilities demonstrate how sophisticated cybercrime is becoming, presenting a significant challenge to cybersecurity professionals worldwide.
It has been since mid-2023 that Lucid was controlled by the Xin Xin Group, a Chinese cybercriminal organization that operates it through subscription-based models. Using the model, threat actors can subscribe to an extensive collection of phishing tools that includes over 1,000 phishing domains, customized phishing websites that are dynamically generated, as well as spamming utilities of professional quality.
This platform is not only able to automate many aspects of cyberattacks, but it is also a powerful tool in the hands of malicious actors, since it greatly increases both the efficiency and scalability of their attacks.
To spread fraudulent messages to unsuspecting recipients, the Xin Xin Group utilizes various smishing services to disseminate them as genuine messages. In many cases, these messages refer to unpaid tolls, shipping charges, or tax declarations, creating an urgent sense of urgency for users to respond. In light of this, the sheer volume of messages that are sent makes these campaigns very effective, since they help to significantly increase the odds that the victims will be taken in by the scam, due to the sheer volume of messages sent out.
The Lucid strategy, in contrast to targeted phishing operations that focus on a particular individual, aims to gather large amounts of data, so that large databases of phone numbers can be created and then exploited in large numbers at a later date. By using this approach, it is evident that Chinese-speaking cybercriminals have become an increasingly significant force within the global underground economy, reinforcing their influence within the phishing ecosystem as a whole.
As a result of the research conducted by Prodaft, the PhaaS platform Lucid has been linked to Darcula v3, suggesting a complex network of cybercriminal activities that are linked to Lucid. The fact that these two platforms are possibly affiliated indicates that there is a very high degree of coordination and resource sharing within the underground cybercrime ecosystem, thereby intensifying the threat to the public.
There is no question, that the rapid development of these platforms has been accompanied by wide-ranging threats exploiting security vulnerabilities, bypassing traditional defences, and deceiving even the most circumspect users, underscoring the urgent need for proactive cybersecurity strategies and enhanced threat intelligence strategies on a global scale to mitigate these risks.
Despite Lucid and similar Phishing-as-a-Service platforms continuing to evolve, they demonstrate how sophisticated cyber threats have become.
To combat cybercrime, one must be vigilant, take proactive measures, and work together as a global community to combat this rapid proliferation of illicit networks.
Having strong detection capabilities within organizations is necessary, while individuals must remain cautious of unsolicited emails as well as verify information from official sources directly as they see fit. To prevent falling victim to these increasingly deceptive attacks that are evolving rapidly, one must stay informed, cautious, and security-conscious.
