Lucid: A New Phishing-as-a-Service (PhaaS) Platform Targets 169 Entities Using Smishing via iMessage and RCS

A new Phishing-as-a-Service (PhaaS) platform called Lucid has emerged, offering cybercriminals sophisticated tools to conduct targeted phishing attacks on a global scale. The platform has already targeted 169 entities across 88 countries using smishing (SMS phishing) messages, distributed via Apple iMessage and Rich Communication Services (RCS) for Android devices.

The Scope of the Attack:

• The attack targeted 169 entities—likely a mix of organizations, businesses, and individuals—across 88 countries. This indicates that the campaign was global, meaning the attackers were operating internationally, attempting to exploit vulnerable targets worldwide.
• The widespread nature of the attack underscores its scale and the potential risk posed to a wide range of victims, from personal users to corporate organizations.

The Mechanism of the Attack:

• Lucid, the entity behind the attack, seems to be using social engineering tactics to exploit trust in the Apple iMessage platform. They might send deceptive messages that look like legitimate notifications (such as warnings about account issues, urgent requests, or promotional offers).
• These messages likely included malicious links, urging recipients to click them. Once clicked, the links could either lead to phishing websites designed to steal personal information or to malware that could be installed on the victim’s device.

Why iMessage?

• iMessage is often perceived as more secure than regular SMS because it’s encrypted and doesn’t use the same infrastructure as traditional SMS messages. This trust in iMessage makes it a prime target for attackers, as users are less likely to be suspicious of messages coming from the app.
• Attackers exploiting iMessage’s security could bypass traditional defenses and firewalls, especially those targeting standard SMS, making the attack harder to detect and prevent.

The Impact:

• Smishing attacks can lead to a variety of consequences, such as identity theft, financial fraud, or even corporate data breaches. For businesses, smishing campaigns can damage brand reputation, result in financial losses, or expose sensitive client information.
• Individuals might be tricked into giving up personal data, including credit card numbers, social security numbers, or passwords, leading to potential identity theft or financial fraud.