Prodaft researchers spotted a new phishing-as-a-service (PhaaS) platform called Lucid that targets 169 entities across 88 countries. Operated by a Chinese cybercriminal group known as XinXin, Lucid has been active since mid-2023 and is gaining traction due to its ability to send highly convincing phishing messages through iMessage (on iOS devices) and Rich Communication Services (RCS) (on Android devices).
Lucid operates on a subscription-based model, offering other cybercriminals access to over 1,000 phishing domains, auto-generated phishing websites, and professional-grade spamming tools. The service is marketed through a Telegram channel with around 2,000 members, where licenses are sold on a weekly basis.
Unlike traditional SMS-based phishing attacks, Lucid uses encrypted communication channels such as iMessage (for iOS devices) and RCS (for Android devices) to deliver its phishing messages - the channels, which are more difficult for traditional spam filters to detect and block.
Lucid uses an automated system to deliver phishing messages. The messages typically contain SMS-based lures that lead victims to fake landing pages. The phishing sites are designed to mimic legitimate government and private-sector organizations, including well-known entities like USPS, DHL, Amazon, FedEx, HSBC, and various toll/parking services. The goal is to steal sensitive personal and financial information, such as names, email addresses, physical addresses, and credit card details.
To maintain large-scale operations, Lucid utilizes massive device farms, consisting of both iOS and Android devices. On iOS, attackers create temporary Apple IDs to send iMessages, while for RCS, they exploit vulnerabilities in the sender validation systems used by certain mobile carriers. This allows the attackers to send high volumes of phishing messages using a distributed and resilient infrastructure, making it harder to trace and shut down the operations.
One of the notable features of Lucid is its built-in credit card validation tool, which allows attackers to verify stolen credit card information. If the credit card details are valid, the attackers either sell them to other criminals or use the information for fraudulent activities themselves.
Lucid is capable of sending up to 100,000 smishing (SMS phishing) messages per day, thanks to its use of iMessage and RCS, which are cheaper than traditional SMS. This cost-effective model enables cybercriminals to carry out large-scale phishing campaigns without incurring high expenses.
