Users who click on links are taken to ready-to-use phishing websites that collect personal information and credit card details.
Lucid offers phishing websites with validation tools for collected credit card details
Cybercriminals are using massive device farms that comprise iPhone and Android smartphones in order to send phishing messages to users in 88 countries, according to security researchers. The 'Lucid' phishing-as-a-service (PhaaS) platform is designed to deliver messages via iMessage and rich communication services (RCS) chats, with links that lead to phishing websites. These messages are capable of evading typical SMS spam filters due to end-to-end encryption (E2EE). The cybercriminals are also selling licences to use the Lucid platform via a Telegram channel.
Unlike regular SMS, messages are delivered to users via iMessage or RCS on iPhone and Android smartphones, respectively. As these are E2EE messaging services, the messages have a higher delivery rate than SMS phishing messages, according to Prodaft's report. These messages are also cheaper than SMS, as there are no operator charges.
One of the alleged device farms used to send tests via iMessage
Photo Credit: Prodaft
In order to deliver a high volume of messages via iMessage, Lucid uses large iOS device farms that use rotating, temporary Apple IDs. On the other hand, the cybercriminals use "carrier implementation inconsistencies in sender verification" to send RCS messages to unsuspecting users.
The messages are designed to convince users to click on a phishing link, which leads to one of several phishing websites set up on over 1,000 domains owned by the threat actors. For example, some messages prompt users to complete fake toll payments, in order to avoid fines. On iMessage, recipients are even asked to respond, as links are disabled in new texts from unknown senders.
The ready-to-use phishing websites allow cybercriminals to collect people's details, including their credit card information. They can then use a validator to verify whether the card details are valid, before using or selling the information.
Lucid is operated as a PhaaS platform by a Chinese group known as XinXin, according to the researchers. Access to the platform is sold on a weekly basis via a Telegram channel. They are believed to be behind other platforms such as Darcula and Lighthouse, which also offer similar PhaaaS functionality.
In order to stay safe from these phishing attacks, users should refrain from clicking on links in messages received from unknown users. When in doubt about the authenticity of a message, users can contact the sender by looking up the official contact details online, or log in to a service that they use and check for pending payments.
For details of the latest launches and news from Samsung, Xiaomi, Realme, OnePlus, Oppo and other companies at the Mobile World Congress in Barcelona, visit our MWC 2025 hub.