- Over 17,500 phishing domains linked to the Lighthouse and Lucid Phishing-as-a-Service (PhaaS) kits have targeted 316 brands in 74 countries.
- The Lucid and Lighthouse platforms offer customizable templates and tools for large-scale phishing campaigns, impersonating hundreds of global companies.
- These phishing kits are tied to groups and individuals in China, including the XinXin group and developers known as LARVA-241 and LARVA-246.
- Phishing attacks are increasingly using email instead of encrypted messaging apps to collect stolen credentials, with a 25% rise in credential harvesting via email reported in one month.
- Scams targeting cryptocurrency users and task-based financial frauds are using lookalike domains and fake web apps to steal funds and credentials.
Phishing service platforms called Lighthouse and Lucid have been connected to more than 17,500 websites built to mimic 316 brands across 74 countries. Security researchers report that these Phishing-as-a-Service (PhaaS) operations allow customers to pay for access to phishing kits that offer ready-made templates impersonating businesses and organizations worldwide.
According to Netcraft, organizations can subscribe to these services for fees starting at $88 per week and going up to $1,588 for a yearly plan. The Lucid kit was first reported in April by Swiss Cybersecurity firm PRODAFT. It includes tools for sending malicious messages on Apple iMessage and Android RCS. Lucid is believed to be operated by a Chinese-speaking group called XinXin, which also uses other phishing kits like Lighthouse and Darcula.
Netcraft found that Lucid campaigns have targeted 164 brands in 63 countries, while Lighthouse has focused on 204 brands in 50 countries. Both platforms let users customize phishing templates and monitor victims in real-time, showing significant overlap. “While Lighthouse operates independently of the XinXin group, its alignment with Lucid in terms of infrastructure and targeting patterns highlights the broader trend of collaboration and innovation within the PhaaS ecosystem,” PRODAFT stated in April.
Advanced tactics used by these phishing kits include restricting access to phishing sites by device type or location, making it more difficult for outsiders to investigate. If a user who is not the intended victim visits the URL, a generic fake storefront appears instead of the real phishing page.
Researchers also noted that, as cybercriminals move away from using apps like Telegram to transmit stolen data, there has been a shift back to email for collecting credentials. Netcraft observed a 25% increase in phishing via email in just one month. Tools like EmailJS now let threat actors harvest login information and two-factor authentication codes without the need for their own servers. “This resurgence is partly due to the federated nature of email, which makes takedowns harder,” researcher Penn Mackintosh said in a Netcraft report.
A new wave of attacks is using lookalike domains with Japanese Hiragana characters to trick cryptocurrency users into installing fake wallet browser extensions. Over 600 such domains have been detected since late November, according to a Netcraft update. Scams using the identities of major American brands have also been found, asking users to deposit at least $100 in cryptocurrency as part of fake task-based job offers, according to Netcraft researcher Rob Duncan in a separate report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Ethereum Sets December 3 Date for Major Fusaka Scalability Upgrade
- NYDFS Expands Blockchain Analytics Rules to NY Banks in 2025
- MetaMask Token Confirmed: Joe Lubin Says Launch Is ‘Very Soon’
- Avalanche (AVAX) Surges 51% as Crypto Market Stalls
- Ethereum Could Surge 75% Against Bitcoin by 2025 on Bullish Setup
