How ‘Lucid’ exploits iMessage to send encrypted phishing attacks to your iPhone

Macworld

Here’s something you may not know: Hackers can sign up for phishing-as-a-service platforms. In other words, there are businesses that put together a PhAAS software package that hackers can buy and run phishing schemes. A new PhAAS called Lucid is now available and is used to target iPhones, according to a report by security researcher Catalyst.

What’s alarming about Lucid is that it involved phishing messages sent via Apple’s iMessage, which uses end-to-end encryption that allows the messages to bypass spam filters. Lucid also sends messages via encrypted RCS, which allows for attacks on Android devices. Apple has announced support for encrypted RCS that will arrive in a future iOS update.

To be able to send out phishing messages via iMessage, iPhone farms are in place. XinXin, the business behind Lucid, claims it can send over 100,000 messages daily using “temporary Apple IDs with impersonated display names,” according to the report. The PhAAS package offers templates so attackers can create legitimate-looking websites and messages. The phishing messages urge the reader to pay for unpaid toll fees, shipping costs, or taxes, and the links route users to websites that look like legitimate sites, such as a site that masquerades as the U.S. Postal Service.




iPhone phishing farm used to send phishing messages.Catalyst

Some iPhone users may feel a sense of security when receiving an iMessage because of Apple’s measures, but Catalyst notes that it is this sense of security that hackers are taking advantage of. Lucid has a success rate that “makes the operation cost-effective.”

How to protect yourself from hacker attacks

Text messaging is convenient, but it also leaves you vulnerable to attack. Don’t use links in text messages whenever possible; always check the URL if you absolutely need to use the link. Attackers will disguise fake domains to look like legitimate ones. If a message is poorly written, has typos, misspellings, and poor grammar, don’t trust it. Macworld has a guide to avoid smishing attacks. Apple releases security patches through OS updates, so installing them as soon as possible is important. If you use a third-party browser, Macworld has several guides to help, including a guide on whether or not you need antivirus software, a list of Mac viruses, malware, and trojans, and a comparison of Mac security software.