127/68 Wednesday, April 2, 2025
Researchers at Prodaft have uncovered that Lucid, a Phishing-as-a-Service (PhaaS) platform operated by the Chinese cybercriminal group XinXin, is behind a wave of targeted SMS phishing attacks affecting 169 victims across 88 countries. Lucid provides Telegram-registered members with access to automated phishing site generators, over 1,000 domains, and fake messaging tools that exploit iMessage (iOS) and RCS (Android) to bypass traditional SMS spam filters—significantly increasing the success rate of phishing attempts.
The platform operates via a farm of iOS and Android devices, using temporary Apple IDs and RCS vulnerabilities to spoof sender identities. The phishing messages impersonate services like tax notifications, toll payment alerts, or package delivery updates from well-known brands such as Amazon, DHL, FedEx, HSBC, and Transport for London. Once victims click the embedded link, they are redirected to realistic-looking phishing sites designed to harvest sensitive information such as credit card numbers, addresses, and email accounts. Notably, Lucid includes an integrated credit card validator to verify stolen cards before reselling or using them in fraudulent transactions.
Experts warn that PhaaS platforms like Lucid are lowering the barrier to entry for cybercriminals, enabling large-scale, industrialized phishing operations without requiring advanced technical skills. Users are advised to exercise caution when receiving unsolicited messages with urgent payment or account warnings. Instead of clicking suspicious links, they should verify such claims directly through the official website of the service in question to avoid falling victim to these increasingly sophisticated cyber threats.
