A new wave of attacks called Lucid is targeting iOS and Android SMS
Overview
A Phishing-as-a-Service (PhaaS) platform named Lucid is targeting over 88 countries worldwide, including Viettel Post in Vietnam. They use messages sent via iMessage (iOS) and RCS (Android) to carry out phishing activities. With 129 active versions and over 1,000 registered domains, Lucid is considered one of the prominent PhaaS platforms, along with Darcula (Darcula PhaaS v3, the new phishing platform of cybercriminals) and Lighthouse. This platform has been deployed by Chinese cybercriminals known as XinXin since the summer of 2023, and this group also uses the Darcula V3 platform to conduct attacks.
Details about Lucid
Through various phishing services carried out by XinXin, researchers believe that seemingly legitimate messages are sent to random users. Attackers obtain phone numbers through data theft, OSINT techniques, or purchase from the black market. For iMessage, they create temporary Apple IDs with impersonated display names, while for RCS on Android, they exploit inconsistencies in service implementation for sender verification. The choice to attack via iMessage and RCS is due to the lack of per-message costs like traditional SMS, saving on expenses.
These messages contain content related to toll fees, shipping fees, and tax payments, and the links within them are crafted with sophisticated techniques using one-time URLs. These messages are sent in large volumes, not targeting any specific group or individual users.
When victims click on the link in the message, it redirects them to a landing page that mimics legitimate websites. The purpose of this fake page is to steal credit card information, full names, email addresses, and home addresses. The attacker designs the phishing content on the platform's dashboard, which includes several adjustments to avoid detection, such as whitelisting IP addresses allowed to access, user authentication, and more.
Each time a victim clicks on the link, it is recorded in real-time on the access log interface. The attacker can monitor the access time, the device used, the phishing domain accessed, and the information provided by the victim. All the victim's information is entered into a data table like the sample below.
The platform also provides a function to verify stolen credit cards, and valid cards are then sold or used for other fraudulent purposes.
This phishing campaign is carried out on a large scale, with dozens of virtual phones running simultaneously on a device, or they build phone farms. Each phone is used for a different campaign, as shown in the image provided by the perpetrators:
Recommendations
With criminals using various platforms to increase scams and phishing, users need to be knowledgeable to prevent them. FPT Threat Intelligence provides the following recommendations:
Be cautious of messages and emails sent from untrustworthy or unrecognizable senders.
Carefully check links and avoid clicking on unfamiliar links or providing personal information.
Users should remain calm and careful when dealing with messages or emails that appear urgent or require immediate action.
References
Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks
