Phishing As-a-Service (PHAAS), known as Lighthouse and Lucid, is linked to over 17,500 phishing domains covering 316 brands from 74 countries.
“The deployment of Phishing Ash Services (PHAAS) has been rising significantly recently,” Netcraft said in a new report. “PHAAS operators will charge you a monthly fee for phishing software with pre-installed templates.
Lucid was first documented in early April this year by Swiss Cybersecurity Company Prodaft and detailed the phishing kit’s ability to send Smishing messages via Apple Imessage and Rich Communication Services (RCS) for Android.
The service is rated as the work of a Chinese-speaking threat actor known as Xinxin Group (Changqixinyun). Darcula is developed by an actor named Larva-246 (aka X667788x0 or XXHCVV), while the development of Lighthouse is linked to Larva-241 (aka Lao Wang or Wang Duo Yu).
The clear PHAAS platform allows customers to install phishing campaigns on a large scale, covering a wide range of industries, including paid companies, governments, postal companies, and financial institutions.
These attacks also incorporate a variety of criteria, such as requiring a path configured by a specific mobile user agent, proxy country, or fraudster. If a non-target user accesses the URL, a general fake storefront is provided instead.
In all, Netcraft said it had detected phishing URLs targeting 164 brands based in 63 different countries hosted via Lucid Platform. The Lighthouse Phishing URL targets 204 brands based in 50 countries.
Like Lucid, Lighthouse offers template customization and real-time victim monitoring, boasting the ability to create phishing templates for over 200 platforms around the world. Lighthouse prices range from $88 a week to $1,588 a year subscription.
“Although Lighthouse operates independently of Xinxin Group, the consistency with Lucid in terms of infrastructure and targeting patterns highlights the broader trends in collaboration and innovation within the PHAAS ecosystem,” Prodaft said in April.
The lighthouse-based phishing campaign uses URLs that impersonate the Albanian postal service post office, providing the same fake shopping site non-targeted, suggesting a potential link between Lucid and the lighthouse.
“Lucid and Lighthouse is an example of how quickly these platforms grow and evolve, and how difficult it is for them to get confused at times,” said Netcraft researcher Harry Everett.
It develops when the London-based company reveals that phishing attacks travel to transport stolen data from telegram-like communication channels, drawing pictures of platforms that are unlikely to be safe shelter for cybercriminals.
Instead, threat actors will return to email as a channel to harvest stolen qualifications, with a 25% increase over a month’s span. Cybercriminals are also known to use services such as emailJS to harvest login details and use two-factor authentication (2FA) codes from victims, eliminating the need to fully host their own infrastructure.
“This revival is partly due to the coalition nature of email, making takedowns difficult,” said security researcher Penn McIntosh. “Unlike centralized platforms like Discord and Telegram, each address or SMTP relay must be reported separately, and that’s also about convenience.
The findings also use the Japanese Hiragana character “n”, passing through a website URL that is roughly the same as legitimate in what is called homoglyph attacks, following the appearance of a domain like a new look. Over 600 fake domains using this technique have been identified in attacks targeting cryptocurrency users, recording the earliest recorded usage until November 25th, 2024.
These pages spoof as legitimate browser extensions for Chrome Web Store, installing fake wallet apps for trust designed to harvest Phantom, Rabby, OKX, Coinbase, Metamask, Pancodus, Biteg and seed phrases for unsuspecting users, giving attackers full control.
“At a glance, it’s meant to look like a positive slash,” Netcraft said. “And when it’s dropped into a domain name, you can easily see how persuasive it is. That small swap is enough to make the domain of a phishing site look real.
Over the past few months, scams have registered people in a scheme that offers a way to make money by completing a series of tasks, including running as a flight booking agent, leveraging the brand identities of American companies such as Delta Air Lines, AMC Theatre, Universal Studios and Magnificent Records.
The catch here is that in order to do so, in order to become a victim, you are asked to deposit at least $100 worth of cryptocurrency in your account, allowing threat actors to make illegal profits.
Task fraud “indicators weaponize API-driven brand infection templates to scale financially motivated fraud across multiple industries,” said Rob Duncan of Netcraft Researcher.
Source link
