The phishing-as-a-service (PhaaS) offerings known as Lighthouse and Lucid has been linked to more than 17,500 phishing domains targeting 316 brands from 74 countries.
“Phishing-as-a-Service (PhaaS) deployments have risen significantly recently,” Netcraft said in a new report. “The PhaaS operators charge a monthly fee for phishing software with pre-installed templates impersonating, in some cases, hundreds of brands from countries around the world.”
Lucid was first documented by Swiss cybersecurity company PRODAFT earlier this April, detailing the phishing kit’s ability to send smishing messages via Apple iMessage and Rich Communication Services (RCS) for Android.
The service is assessed to be the work of a Chinese-speaking threat actor known as the XinXin group (changqixinyun), which has also leveraged other phishing kits like Lighthouse and Darcula in its operations. Darcula is developed by an actor named LARVA-246 (aka X667788X0 or xxhcvv), while Lighthouse’s development has been linked to LARVA-241 (aka Lao Wang or Wang Duo Yu).
The Lucid PhaaS platform enables customers to mount phishing campaigns at scale, targeting a wide range of industries, including toll companies, governments, postal companies, and financial institutions.
These attacks also incorporate various criteria – such as requiring a specific mobile User-Agent, proxy country, or a fraudster-configured path – to ensure that only the intended targets can access the phishing URLs. If a user other than the target ends up visiting the URL, they are served a generic fake storefront instead.
In all, Netcraft said it has detected phishing URLs targeting 164 brands based in 63 different countries hosted through the Lucid platform. Lighthouse phishing URLs have targeted 204 brands based in 50 different countries.
Lighthouse, like Lucid, offers template customization and real-time victim monitoring, and boasts the ability to create phishing templates for over 200 platforms across the world, indicating significant overlaps between the two PhaaS toolkits. Prices for Lighthouse range from $88 for a week to $1,588 for a yearly subscription.
“While Lighthouse operates independently of the XinXin group, its alignment with Lucid in terms of infrastructure and targeting patterns highlights the broader trend of collaboration and innovation within the PhaaS ecosystem,” PRODAFT noted back in April.
Phishing campaigns using Lighthouse have used URLs impersonating the Albanian postal service Posta Shqiptare, while serving the same fake shopping site to non-targets, suggesting a potential link between Lucid and Lighthouse.
“Lucid and Lighthouse are examples of how fast the growth and evolution of these platforms can occur and how difficult they can sometimes be to disrupt,” Netcraft researcher Harry Everett said.
The development comes as the London-based company revealed that phishing attacks are moving away from communication channels like Telegram to transmit stolen data, painting a picture of a platform that’s no longer likely to be considered a safe haven for cybercriminals.
In its place, threat actors are returning to email as a channel for harvesting stolen credentials, with Netcraft seeing a 25% increase in a span of a month. Cybercriminals have also been found to use services like EmailJS to harvest login details and two-factor authentication (2FA) codes from victims, eliminating the need for hosting their own infrastructure altogether.
“This resurgence is partly due to the federated nature of email, which makes takedowns harder,” security researcher Penn Mackintosh said. “Each address or SMTP relay must be reported individually, unlike centralized platforms like Discord or Telegram. And it’s also about convenience. Creating a throwaway email address remains quick, anonymous, and virtually free.”
The findings also follow the emergence of new lookalike domains using the Japanese Hiragana character “ん” to pass off fake website URLs as almost identical to their legitimate ones in what’s called a homoglyph attack. No less than 600 bogus domains employing this technique have been identified in attacks aimed at cryptocurrency users, with the earliest recorded use dating back to November 25, 2024.
These pages impersonate legitimate browser extensions on the Chrome Web Store, deceiving unsuspecting users into installing fake wallet apps for Phantom, Rabby, OKX, Coinbase, MetaMask, Exodus, PancakeSwap, Bitget, and Trust that are designed to capture system information or harvest seed phrases, giving the attackers full control over their wallets.
“At a quick glance, it is intended to look like a forward slash ‘/,'” Netcraft said. “And when it’s dropped into a domain name, it’s easy to see how it can be convincing. That tiny swap is enough to make a phishing site domain look real, which is the goal of threat actors trying to steal logins and personal information or distribute malware.”
In recent months, scams have also exploited the brand identities of American firms like Delta Airlines, AMC Theatres, Universal Studios, and Epic Records to enroll people in schemes that offer a way to earn money by completing a series of tasks, such as operating as a flight booking agent.
The catch here is that in order to do so, would-be victims are asked to deposit at least $100 worth of cryptocurrency to their accounts, allowing the threat actors to make illicit profits.
The task scam “illustrates how opportunistic actors are weaponizing API-driven brand-impersonation templates to scale financially motivated fraud across multiple verticals,” Netcraft researcher Rob Duncan said.
