The cybersecurity landscape is witnessing a significant escalation in phishing activities, primarily driven by the proliferation of Phishing-as-a-Service (PhaaS) platforms. Recent analyses have identified over 17,500 phishing domains associated with PhaaS services like Lighthouse and Lucid, targeting 316 brands across 74 countries.
Understanding Phishing-as-a-Service (PhaaS):
PhaaS platforms have revolutionized the cybercrime ecosystem by offering ready-made phishing kits to cybercriminals, enabling them to launch sophisticated attacks without extensive technical expertise. These services typically operate on a subscription basis, providing users with tools to impersonate a multitude of brands globally.
Lucid: A Closer Look
First documented by Swiss cybersecurity firm PRODAFT in April 2025, Lucid is a PhaaS platform that facilitates large-scale phishing campaigns. It allows attackers to send fraudulent messages via Apple iMessage and Rich Communication Services (RCS) for Android, targeting sectors such as toll services, government agencies, postal companies, and financial institutions.
Lucid employs sophisticated targeting mechanisms, including:
– User-Agent Filtering: Ensuring only specific devices can access the phishing content.
– Geolocation Restrictions: Limiting access based on the visitor’s country.
– Custom Path Configurations: Directing victims through attacker-defined pathways.
If an unintended user accesses a Lucid-generated phishing URL, they are redirected to a generic fake storefront, minimizing the risk of detection.
Lighthouse: Parallel Operations
Operating independently yet exhibiting significant overlaps with Lucid, Lighthouse is another PhaaS platform offering customizable phishing templates and real-time victim monitoring. It boasts templates for over 200 platforms worldwide, with subscription prices ranging from $88 per week to $1,588 annually.
Notably, Lighthouse has been linked to phishing campaigns impersonating entities like the Albanian postal service, Posta Shqiptare. Similar to Lucid, it redirects non-targeted visitors to generic fake sites, indicating a shared strategy between the two platforms.
The XinXin Group Connection
Both Lucid and Lighthouse have ties to the Chinese-speaking threat actor known as the XinXin group (changqixinyun). This group has also utilized other phishing kits, such as Darcula, developed by an actor named LARVA-246 (aka X667788X0 or xxhcvv). The interconnectedness of these platforms underscores a collaborative and evolving PhaaS ecosystem.
Global Impact and Brand Targeting
The reach of these PhaaS platforms is extensive:
– Lucid: Phishing URLs targeting 164 brands across 63 countries.
– Lighthouse: Phishing URLs targeting 204 brands across 50 countries.
This widespread targeting highlights the global nature of the threat and the need for international cooperation in combating phishing attacks.
Shift in Cybercriminal Communication Channels
In addition to the rise of PhaaS platforms, there has been a notable shift in how cybercriminals communicate and harvest stolen data. Platforms like Telegram, once favored for their perceived anonymity, are being abandoned in favor of email. Netcraft reports a 25% increase in the use of email for credential harvesting within a month.
Cybercriminals are also leveraging services like EmailJS to collect login details and two-factor authentication codes, reducing the need for dedicated infrastructure. The federated nature of email makes takedown efforts more challenging, as each address or SMTP relay must be reported individually, unlike centralized platforms.
Conclusion
The surge in PhaaS platforms like Lucid and Lighthouse represents a significant evolution in cyber threats, enabling attackers to execute large-scale phishing campaigns with unprecedented ease. The global reach and sophistication of these services necessitate enhanced vigilance, robust security measures, and international collaboration to mitigate the risks posed by this growing menace.
