The phishing-as-a-service (PhaaS) providing referred to as Lighthouse and Lucid has been linked to greater than 17,500 phishing domains concentrating on 316 manufacturers from 74 nations.
“Phishing-as-a-Service (PhaaS) deployments have risen considerably not too long ago,” Netcraft stated in a brand new report. “The PhaaS operators cost a month-to-month charge for phishing software program with pre-installed templates impersonating, in some instances, a whole bunch of manufacturers from nations all over the world.”
Lucid was first documented by Swiss cybersecurity firm PRODAFT earlier this April, detailing the phishing package’s potential to ship smishing messages by way of Apple iMessage and Wealthy Communication Companies (RCS) for Android.
The service is assessed to be the work of a Chinese language-speaking menace actor referred to as the XinXin group (changqixinyun), which has additionally leveraged different phishing kits like Lighthouse and Darcula in its operations. Darcula is developed by an actor named LARVA-246 (aka X667788X0 or xxhcvv), whereas Lighthouse’s improvement has been linked to LARVA-241 (aka Lao Wang or Wang Duo Yu).
The Lucid PhaaS platform permits clients to mount phishing campaigns at scale, concentrating on a variety of industries, together with toll corporations, governments, postal corporations, and monetary establishments.
These assaults additionally incorporate varied standards – comparable to requiring a particular cell Consumer-Agent, proxy nation, or a fraudster-configured path – to make sure that solely the meant targets can entry the phishing URLs. If a consumer aside from the goal finally ends up visiting the URL, they’re served a generic pretend storefront as an alternative.
In all, Netcraft stated it has detected phishing URLs concentrating on 164 manufacturers primarily based in 63 totally different nations hosted by means of the Lucid platform. Lighthouse phishing URLs have focused 204 manufacturers primarily based in 50 totally different nations.
Lighthouse, like Lucid, affords template customization and real-time sufferer monitoring, and boasts the power to create phishing templates for over 200 platforms the world over, indicating important overlaps between the 2 PhaaS toolkits. Costs for Lighthouse vary from $88 for per week to $1,588 for a yearly subscription.
“Whereas Lighthouse operates independently of the XinXin group, its alignment with Lucid by way of infrastructure and concentrating on patterns highlights the broader pattern of collaboration and innovation inside the PhaaS ecosystem,” PRODAFT famous again in April.
Phishing campaigns utilizing Lighthouse have used URLs impersonating the Albanian postal service Posta Shqiptare, whereas serving the identical pretend procuring web site to non-targets, suggesting a possible hyperlink between Lucid and Lighthouse.
“Lucid and Lighthouse are examples of how briskly the expansion and evolution of those platforms can happen and the way troublesome they will typically be to disrupt,” Netcraft researcher Harry Everett stated.
The event comes because the London-based firm revealed that phishing assaults are shifting away from communication channels like Telegram to transit stolen information, portray an image of a platform that is now not prone to be thought-about a protected haven for cybercriminals.
As a substitute, menace actors are returning to e mail as a channel for harvesting stolen credentials, with Netcraft seeing a 25% improve in a span of a month. Cybercriminals have additionally been discovered to make use of providers like EmailJS to reap login particulars and two-factor authentication (2FA) codes from victims, eliminating the necessity for internet hosting their very own infrastructure altogether.
“This resurgence is partly because of the federated nature of e mail, which makes takedowns tougher,” safety researcher Penn Waterproof coat stated. “Every handle or SMTP relay should be reported individually, not like centralized platforms like Discord or Telegram. And it is also about comfort. Making a throwaway e mail handle stays fast, nameless, and nearly free.”
The findings additionally comply with the emergence of recent lookalike domains utilizing the Japanese Hiragana character “ん” to cross off pretend web site URLs as nearly equivalent to their respectable ones in what’s known as a homoglyph assault. A minimum of 600 bogus domains using this system have been recognized in assaults aimed toward cryptocurrency customers, with the earliest recorded use courting again to November 25, 2024.
These pages impersonate respectable browser extensions on the Chrome Net Retailer, deceiving unsuspecting customers into putting in pretend pockets apps for Phantom, Rabby, OKX, Coinbase, MetaMask, Exodus, PancakeSwap, Bitget, and Belief which might be designed to seize system info or harvest seed phrases, giving the attackers full management over their wallets.
“At a fast look, it’s meant to seem like a ahead slash ‘/,'” Netcraft stated. “And when it is dropped into a website identify, it is easy to see how it may be convincing. That tiny swap is sufficient to make a phishing web site area look actual, which is the aim of menace actors attempting to steal logins and private info or distribute malware.”
In current months, scams have additionally exploited the model identities of American companies like Delta Airways, AMC Theatres, Common Studios, and Epic Data to enroll folks in schemes that supply a option to earn cash by finishing a collection of duties, comparable to working as a flight reserving agent.
The catch right here is that so as to take action, would-be victims are requested to deposit no less than $100 value of cryptocurrency to their accounts, permitting the menace actors to make illicit earnings.
The duty rip-off “illustrates how opportunistic actors are weaponizing API-driven brand-impersonation templates to scale financially motivated fraud throughout a number of verticals,” Netcraft researcher Rob Duncan stated.
