Those text messages about unpaid tolls that have been hitting users’ phones in waves for the last few months aren’t just annoying, they’re the end product of a massive phishing operation that utilizes device farms and a new phishing-as-a-service (PhAAS) platform to produce thousands upon thousands of scam messages each day.
About a year ago, researchers began noticing a new tactic showing up in the phishing text campaigns, a shift from the typical messages impersonating FedEx or the USPS to messages purporting to come from a state toll road operator. The new messages inform recipients that they have an unpaid toll and threaten them with fines or even the loss of their driver’s license if they don’t respond. The trick with these messages is that the links in them aren’t live. They ask the victims to reply, and if they do, the attackers send a live phishing domain link in return.
Our Censys research team has investigated the domains and infrastructure the attackers are using in these campaigns, discovering tens of thousands of domains hosted on infrastructure that is almost entirely in China. That won’t come as much of a surprise to most observers of the cybercrime ecosystem, but some of the details of the scheme’s operation and scale that are beginning to emerge are quite interesting.
The operators of the SMS toll scam are employing a phishing platform called Lucid that has a subscription model, enabling affiliates to sign up and run their own campaigns through the platform. Lucid can generate both iMessage and Android RCS messages in bulk, unique domains and landing pages for specific campaigns, and time-limited individual URLs for victims, according to new research from Prodaft on the Lucid phishing platform and its usage in the toll scam campaigns. The platform’s control panel has a powerful set of features and tools specifically tailored to the needs of the discerning modern cybercriminal.
“When creating a template, PhAAS users can customize landing pages for their targeted domains, such as phishingdomain.com/xxx. Additionally, the panel allows for dynamic adjustments based on the victim’s IP address, enabling location-based targeting, device-specific focus (iOS or Android), and additional verification steps for users,” Prodaft’s analysis says.
“To enhance the targeted nature of attacks and evade detection, measures are implemented to block connections from IP addresses outside the targeted region or if users attempt to access the domain directly instead of clicking on a shortened URL. Payment pages are only displayed to victims within the designated region.”
Lucid is part of a group of phishing platforms that have emerged recently to cater to eager criminals looking for point-and-steal solutions. Other examples include Lighthouse, Darcula, EvilProxy, and W3ll. The premium is on simplicity and ease-of-use, allowing as many subscribers as possible to sign up and run their phishing campaigns, as evidenced by the volume of toll scam and other SMS phishing messages flooding victims’ phones. These lures have proven to be quite successful, with Prodaft estimating that Lucid phishing campaigns see a 5% success rate, which is very high relative to email phishing attacks.
Expect to see these campaigns change and evolve as attackers refine their tactics and find new lures and ways to exploit the system.
