Security researchers have uncovered that cybercriminals are exploiting extensive device farms comprising both iPhone and Android smartphones to disseminate phishing messages across 88 countries. This operation utilizes the ‘Lucid’ phishing-as-a-service (PhaaS) platform, which is specifically designed to send messages through iMessage and rich communication services (RCS) chats, containing links that redirect users to phishing websites. Due to the end-to-end encryption (E2EE) of these messaging services, the phishing messages are successful in bypassing conventional SMS spam filters.
Lucid Platform Claims to Dispatch Over 100,000 Messages Daily
The Lucid platform facilitates message delivery via iMessage and RCS, capitalizing on their E2EE features to maintain a higher delivery rate compared to traditional SMS phishing tactics, as highlighted in a report by Prodaft. Additionally, the messages sent through this platform are more cost-effective than SMS, given the lack of operator fees involved.
One of the alleged device farms utilized to send messages via iMessage.
Photo Credit: Prodaft
To ensure a substantial volume of messages can be sent through iMessage, Lucid operates large iOS device farms that utilize rotating and temporary Apple IDs. In contrast, RCS messages are sent by exploiting inconsistencies in carrier implementation related to sender verification.
The phishing messages are crafted to manipulate users into clicking on links that lead to various phishing websites established across more than 1,000 domains owned by the attackers. For instance, some messages deceive users into completing phony toll payments to evade fines. Notably, when using iMessage, recipients may be prompted to respond, as links remain disabled in new texts from unfamiliar senders.
The phishing websites are pre-configured to enable cybercriminals to gather sensitive information from users, such as credit card details. These details can then be validated through a tool to verify their authenticity before being utilized or sold.
According to researchers, the Lucid platform is run by a Chinese group identified as XinXin. Access to this platform is marketed on a weekly basis via a Telegram channel. This group is also believed to be involved with other platforms like Darcula and Lighthouse, which offer comparable PhaaS functionalities.
To guard against these phishing schemes, users are encouraged to avoid clicking on links included in messages from unrecognized senders. If there are doubts about the credibility of a message, users can verify the sender’s information by searching for official contact details online or logging into relevant services to check for any outstanding payments.
