A surge in phishing text messages claiming unpaid tolls has been linked to a massive phishing-as-a-service (PhaaS) operation.
These scams, which have been hitting users’ phones in waves, are part of a sophisticated campaign leveraging a platform called Lucid.
Cybercriminals behind this scheme are exploiting legitimate communication technologies like Apple iMessage and Android RCS to bypass traditional spam filters and deliver their malicious messages at scale.
.png
)
The scam begins with text messages impersonating state toll road operators.
Victims are warned of unpaid tolls and threatened with fines or license suspension if they fail to respond.
Unlike traditional phishing attempts, these messages initially lack live links.
Instead, victims are asked to reply, after which they receive a link to a phishing website designed to steal personal and financial information.
The Lucid PhaaS Platform: A Cybercriminal’s Toolkit
Research by cybersecurity firms such as Prodaft has uncovered the infrastructure behind these campaigns, revealing tens of thousands of domains hosted predominantly in China.
At the heart of this operation is the Lucid platform, a subscription-based PhaaS service that allows affiliates to run their own phishing campaigns with minimal technical expertise.
Lucid offers an advanced control panel that enables users to customize phishing templates, generate unique domains and landing pages, and create time-limited URLs for victims.
Its features include dynamic adjustments based on the victim’s IP address, allowing attackers to target specific regions and devices (iOS or Android).
The platform also employs anti-detection techniques, such as blocking connections from outside targeted regions or from users accessing domains directly instead of via shortened URLs.
Prodaft’s analysis highlights how Lucid enables real-time monitoring of victim interactions through its dashboard.
According to the Report, this allows attackers to verify stolen credit card details and extract sensitive information efficiently.
The platform’s ease of use has contributed to its success, with an estimated 5% success rate remarkably high compared to traditional email phishing campaigns.
A Growing Threat in the Cybercrime Ecosystem
Lucid is just one example of the growing trend of PhaaS platforms that lower the barrier for entry into cybercrime.
Other platforms like Darcula, EvilProxy, and Lighthouse offer similar services, enabling attackers to clone legitimate websites and launch large-scale phishing campaigns.
These platforms cater to a thriving underground economy where cybercriminals can subscribe to ready-made tools for fraud.
The operators behind Lucid have been identified as members of the Chinese-speaking hacking group known as XinXin.
This group has developed multiple PhaaS platforms and markets them on forums and messaging platforms like Telegram.
Their tools have proven effective in targeting victims across Europe, the United States, and other regions.
Authorities like the Federal Trade Commission (FTC) and cybersecurity experts recommend vigilance against such scams.
If you receive a text about unpaid tolls:
- Do not click on any links or reply to suspicious messages.
- Verify the legitimacy of such claims by contacting your state’s tolling agency directly through official channels.
- Report and delete unwanted texts using your phone’s “report junk” feature or by forwarding them to 7726 (SPAM).
If you suspect you’ve fallen victim, immediately contact your financial institution to secure your accounts and consider filing a report with local law enforcement or online crime reporting agencies.
As phishing tactics evolve with platforms like Lucid, staying informed and cautious is crucial to safeguarding personal information from these increasingly sophisticated cyber threats.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
 operation.){kind=link}