Full Report
A phishing-as-a-service (PhaaS) platform named 'Lucid' has been targeting 169 entities in 88 countries using well-crafted messages sent on iMessage (iOS) and RCS (Android). [...]
Analysis Summary
# Tool/Technique: Lucid Phishing Platform
## Overview
Lucid is a sophisticated phishing platform utilized by threat actors to conduct mass-scale, organized smishing (SMS phishing) campaigns targeting both iOS and Android users. It facilitates the creation of convincing phishing pages to steal personal and financial information, including credit card details, and often includes a built-in credit card validation feature.
## Technical Details
- Type: Attack Tool/Framework
- Platform: iOS, Android (via SMS/RCS)
- Capabilities: SMS/RCS campaign management, creation of spoofed landing pages, geo-location victim filtering, custom branding/logos in messages, integrated credit card validation.
- First Seen: Not explicitly mentioned in the text.
## MITRE ATT&CK Mapping
Due to the primary function described (sending malicious links via SMS), the relevant primary tactic is Initial Access, although it heavily relies on Social Engineering.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.003 - Phishing: SMS Phishing (Smishing)
## Functionality
### Core Capabilities
- **SMS/RCS Delivery:** Capable of sending mass phishing messages across both major mobile operating systems.
- **Platform-Specific Delivery:** Uses temporary Apple IDs for iMessage campaigns and exploits carrier-specific flaws in sender validation for RCS campaigns.
- **Impersonation:** Messages typically mimic critical alerts from shipping carriers (USPS, DHL, Royal Mail, FedEx), toll agencies (E-ZPass, SunPass, Transport for London), or financial institutions (Revolut, Amazon, American Express, HSBC).
- **Victim Targeting:** Features geo-location filtering to better target victims.
### Advanced Features
- **Landing Page Hosting:** Provides fake landing pages impersonating legitimate government or private entities.
- **Data Harvesting:** Designed to capture Personally Identifiable Information (PII) such as full names, emails, physical addresses, and credit card numbers.
- **Credit Card Validation:** Includes a built-in validator to test the usability of stolen credit card data before it is sold or used fraudulently.
- **Operational Security (OpSec):** Threat actors using Lucid have been observed conducting campaigns from moving vehicles to evade location tracking.
## Indicators of Compromise
- File Hashes: [Not specified in the provided text]
- File Names: [Not specified in the provided text]
- Registry Keys: [Not specified in the provided text]
- Network Indicators: [Landing pages impersonating various brands mentioned above, delivered via SMS/RCS infrastructure]
- Behavioral Indicators: Mass delivery of links via SMS/RCS; messages urging immediate action on alleged shortfalls (shipping, tax, tolls); redirection to credential harvesting sites.
## Associated Threat Actors
- Unspecified threat actors, leveraging a commercial phishing platform for profit.
## Detection Methods
- Signature-based detection: [Not specified in the provided text]
- Behavioral detection: Monitoring for bulk delivery of short URL links via SMS/RCS channels, especially those impersonating high-volume services (delivery, banking, tolls).
- YARA rules: [Not specified in the provided text]
## Mitigation Strategies
- **User Education:** Instruct users to ignore unsolicited links received via SMS/RCS, especially those demanding immediate action or payment. Users should independently navigate directly to the official website or application to verify alerts.
- **Application Security:** For platform providers (carriers, financial institutions), ensure robust sender validation mechanisms are in place, particularly for RCS implementation.
- **Mobile Security Posture:** Maintain up-to-date operating systems to mitigate known vulnerabilities exploited for RCS delivery.
## Related Tools/Techniques
- Smishing campaigns in general.
- Other known phishing toolkits that automate social engineering delivery.