Global PhaaS Surge: 17,500 Phishing Domains Target 316 Brands in 74 Countries
Global PhaaS Surge: 17,500 Phishing Domains Target 316 Brands in 74 Countries
Lighthouse and Lucid, two phishing-as-a-service (PhaaS) offerings, have been connected to over 17,500 phishing domains that target 316 brands across 74 countries.
According to a recent research by Netcraft, “Phishing-as-a-Service (PhaaS) deployments have risen significantly recently.” “The PhaaS operators charge a monthly fee for phishing software with pre-installed templates impersonating, in some cases, hundreds of brands from countries around the world.”
Earlier this April, the Swiss cybersecurity firm PRODAFT published the first documentation of Lucid, which described how the phishing kit could deliver smishing messages through Rich Communication Services (RCS) for Android and Apple iMessage.
According to the assessment, the service was created by the XinXin group (changqixinyun), a Chinese-speaking threat actor that has also used other phishing kits, including Lighthouse and Darcula, in its operations. LARVA-246 (also known as X667788X0 or xxhcvv) is the actor behind Darcula, and LARVA-241 (also known as Lao Wang or Wang Duo Yu) is the actor behind Lighthouse.
Customers can launch large-scale phishing campaigns using the Lucid PhaaS platform, focusing on a variety of sectors such as financial institutions, governments, postal services, and toll corporations.
To make sure that only the intended targets can view the phishing URLs, these attacks also use a variety of criteria, such as requiring a particular mobile User-Agent, proxy country, or a path that has been set by the fraudster. A generic false storefront is displayed to those who are not the target, yet manage to access the URL.
According to Netcraft, it has identified phishing URLs that use the Lucid platform and target 164 brands spread across 63 different countries. Phishing URLs from Lighthouse have attacked 204 brands across 50 countries.
There are notable similarities between the two PhaaS toolkits, since Lighthouse, like Lucid, provides real-time victim monitoring and template customization. It also claims to be able to develop phishing templates for more than 200 platforms worldwide. Lighthouse subscriptions range in price from $88 per week to $1,588 per year.
“While Lighthouse operates independently of the XinXin group, its alignment with Lucid in terms of infrastructure and targeting patterns highlights the broader trend of collaboration and innovation within the PhaaS ecosystem,” PRODAFT stated in April.
There may be a connection between Lucid and Lighthouse because phishing attempts employing Lighthouse have used URLs that mimic the Albanian postal service Posta Shqiptare while delivering the same phony retail site to non-targets.
According to Netcraft researcher Harry Everett, “Lucid and Lighthouse are examples of how quickly the growth and evolution of these platforms can occur and how difficult they can sometimes be to disrupt.”
The discovery coincides with the London-based company’s announcement that phishing attacks are shifting from using Telegram and other communication channels to transmit stolen data, illustrating that the platform is no longer likely to be seen as a safe haven for cybercriminals.
Threat actors are using email again as a means of obtaining credentials that have been stolen, as evidenced by Netcraft’s 25% rise in only one month. In order to avoid having to host their own infrastructure, cybercriminals have also been observed to utilize services such as EmailJS to collect victims’ login credentials and two-factor authentication (2FA) tokens.
“This resurgence is partly due to the federated nature of email, which makes takedowns harder,” the security researcher Penn Mackintosh stated. In contrast to centralized systems like Discord or Telegram, each address or SMTP relay needs to be reported separately. Additionally, convenience is a factor. Making a disposable email address is still simple, anonymous, and essentially cost-free.
According to the research, new lookalike domains have emerged that use the Japanese Hiragana character “ん” to pass off phony website URLs as nearly identical to their authentic counterparts. This is known as a homoglyph assault. Since its first documented usage on November 25, 2024, at least 600 phony domains have been found to deploy this tactic in assaults on bitcoin users.
In order to trick unwary users into installing phony wallet apps for Phantom, Rabby, OKX, Coinbase, MetaMask, Exodus, PancakeSwap, Bitget, and Trust—which are intended to harvest seed phrases or steal system information—these pages pose as genuine browser extensions on the Chrome Web Store. This gives the attackers complete control over the victims’ wallets.
“At a quick glance, it is intended to look like a forward slash ‘/’,” stated Netcraft. And it’s simple to understand how it could be believable when it’s included in a domain name. That small change is sufficient to make a phishing site domain appear authentic, which is the aim of threat actors attempting to disseminate malware or steal login credentials.
The brand identities of American companies such as Delta Airlines, AMC Theaters, Universal Studios, and Epic Records have also been used by scammers in recent months to lure consumers into schemes that promise to pay them money by doing a series of tasks, like acting as an airline booking agent.
The hitch is that potential victims are required to fund their accounts with cryptocurrencies totaling at least $100 in order to accomplish this, which enables the threat actors to benefit illegally.
According to Rob Duncan, a researcher at Netcraft, the task scam “Demonstrates how opportunistic actors are weaponizing API-driven brand-impersonation templates to scale financially motivated fraud across multiple verticals.”
Prevent Advanced Phishing Attacks with Craw Security’s Phishing Simulation Services
In Craw Security’s Phishing Simulation Services, we deliver excellent phishing domains that mimic real-world organizations that look almost the same as the original ones, with replicas of their original templates. We use UTM parameters with encoded values to avoid client suspicion and reverse tracking to give the employees a fully-fledged real-world experience.
In addition, the AI-based PSS from Craw Security helps you in automatically detecting phishing URLs, so that phishing emails will automatically be erased or jump out from the inbox or real-time servers that employees utilize in their daily official routines.
Here’s how Craw Security’s Phishing Simulation Services works:
- We have a credential capture mode that tricks users into submitting crucial information.
- We deliver exact Brand Impersonization by using real-world templates and domains that have identical domain names, such as to mimic Google, using the domain gooogle.com.
- An AI-based Recommendation System that picks the best tracking URLs and email templates for world-class effects.
- UTM parameters with encoded values to avoid client suspicion and reverse tracking to give the employees a fully-fledged real-world experience.
- Our software will genuinely detect all the emails and mark them as Phishing Safe or Genuine Emails with prescribed labels in layman’s language to let your employees know.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants Patched by Microsoft
About Author
English