The phishing-as-a-service (PhaaS) offering known as Lighthouse and
Lucid has been linked to more than 17500 phishing domains targeting 316
brands from 74 countries.
“Phishing-as-a-Service (PhaaS) deployments have risen significantly recently”
Netcraft said in a new report. “The PhaaS operators charge a monthly fee for
phishing software with pre-installed templates impersonating, in some cases,
hundreds of brands from countries around the world”
Lucid was first documented by Swiss cybersecurity company PRODAFT earlier this
April, detailing the phishing kit’s ability to send smishing messages via
Apple iMessage and Rich Communication Services (RCS) for Android.
The service is assessed to be the work of a Chinese-speaking threat actor
known as the XinXin group (changqixinyun), which has also leveraged other
phishing kits like Lighthouse and Darcula in its operations. Darcula is
developed by an actor named LARVA-246 (aka X667788X0 or xxhcvv), while
Lighthouse’s development has been linked to LARVA-241 (aka Lao Wang or Wang
Duo Yu).
The Lucid PhaaS platform enables customers to mount phishing campaigns at
scale, targeting a wide range of industries, including toll companies,
governments, postal companies, and financial institutions.
These attacks also incorporate various criteria – such as requiring a specific
mobile User-Agent, proxy country, or a fraudster-configured path – to ensure
that only the intended targets can access the phishing URLs. If a user other
than the target ends up visiting the URL, they are served a generic fake
storefront instead.
In all, Netcraft said it has detected phishing URLs targeting 164 brands based
in 63 different countries hosted through the Lucid platform. Lighthouse
phishing URLs have targeted 204 brands based in 50 different countries.
Lighthouse, like Lucid, offers template customization and real-time victim
monitoring, and boasts the ability to create phishing templates for over 200
platforms across the world, indicating significant overlaps between the two
PhaaS toolkits. Prices for Lighthouse range from $88 for a week to $1588 for
a yearly subscription.
“While Lighthouse operates independently of the XinXin group, its alignment
with Lucid in terms of infrastructure and targeting patterns highlights the
broader trend of collaboration and innovation within the PhaaS ecosystem”
PRODAFT noted back in April.
Phishing campaigns using Lighthouse have used URLs impersonating the Albanian
postal service Posta Shqiptare, while serving the same fake shopping site to
non-targets, suggesting a potential link between Lucid and Lighthouse.
“Lucid and Lighthouse are examples of how fast the growth and evolution of
these platforms can occur and how difficult they can sometimes be to disrupt”
Netcraft researcher Harry Everett said.
The development comes as the London-based company revealed that phishing
attacks are moving away from communication channels like Telegram to transit
stolen data, painting a picture of a platform that’s no longer likely to be
considered a safe haven for cybercriminals.
In its place, threat actors are returning to email as a channel for harvesting
stolen credentials, with Netcraft seeing a 25% increase in a span of a month.
Cybercriminals have also been found to use services like EmailJS to harvest
login details and two-factor authentication (2FA) codes from victims,
eliminating the need for hosting their own infrastructure altogether.
“This resurgence is partly due to the federated nature of email, which makes
takedowns harder” security researcher Penn Mackintosh said. “Each address or
SMTP relay must be reported individually, unlike centralized platforms like
Discord or Telegram. And it’s also about convenience. Creating a throwaway
email address remains quick, anonymous, and virtually free”
The findings also follow the emergence of new lookalike domains using the
Japanese Hiragana character “ん” to pass off fake website URLs as almost
identical to their legitimate ones in what’s called a homoglyph attack. No
less than 600 bogus domains employing this technique have been identified in
attacks aimed at cryptocurrency users, with the earliest recorded use dating
back to November 25, 2024.
These pages impersonate legitimate browser extensions on the Chrome Web Store,
deceiving unsuspecting users into installing fake wallet apps for Phantom,
Rabby, OKX, Coinbase, MetaMask, Exodus, PancakeSwap, Bitget, and Trust that
are designed to capture system information or harvest seed phrases, giving the
attackers full control over their wallets.
“At a quick glance, it is intended to look like a forward slash ‘/,'” Netcraft
said. “And when it’s dropped into a domain name, it’s easy to see how it can
be convincing. That tiny swap is enough to make a phishing site domain look
real, which is the goal of threat actors trying to steal logins and personal
information or distribute malware”
In recent months, scams have also exploited the brand identities of American
firms like Delta Airlines, AMC Theatres, Universal Studios, and Epic Records
to enroll people in schemes that offer a way to earn money by completing a
series of tasks, such as operating as a flight booking agent.
The catch here is that in order to do so, would-be victims are asked to
deposit at least $100 worth of cryptocurrency to their accounts, allowing the
threat actors to make illicit profits.
The task scam “illustrates how opportunistic actors are weaponizing API-driven
brand-impersonation templates to scale financially motivated fraud across
multiple verticals” Netcraft researcher Rob Duncan said.
コメント