Phishing Gone Pro From $88 to Millions: How 17,500 Domains Are Hitting 316 Brands Globally

1 Star2 Stars3 Stars4 Stars5 Stars (7 votes, average: 5.00 out of 5)
Loading...
Published: September 23, 2025
Phishing-as-a-Service Attack

Phishing attacks aren’t just some hacker in a hoodie working out of a basement. They’re a full-blown, global business operation, and they’re getting more sophisticated every month.

According to a brand-new report from Netcraft, two major PhaaS (Phishing-as-a-Service) platforms, Lighthouse and Lucid, have been linked to over 17,500 phishing domains, targeting 316 brands across 74 countries.

That’s not a typo. We’re talking about a phishing network that scales like a SaaS startup except its “customers” are cybercriminals.

And if you think this is just a problem for “big tech” or “the finance sector,” think again. These campaigns are hitting toll operators, postal services, government agencies, crypto users, and regular businesses worldwide.

What Exactly Is PhaaS and Why Should You Care?

If you haven’t heard the term before, Phishing-as-a-Service (PhaaS) works exactly like it sounds.

Instead of some lone hacker hand-crafting phishing emails, cybercriminals can now subscribe to phishing kits just like Netflix.

For as little as $88 a week (or $1,588 for an annual plan), they get access to:

  • Ready-made phishing templates impersonating hundreds of brands
  • Tools for sending smishing messages (yes, SMS phishing) via iMessage and Android RCS
  • Real-time dashboards to monitor victims’ clicks and credentials

And just like SaaS companies, these operators provide updates, support, and new templates to keep attacks fresh and convincing. Anyone with a credit card and bad intentions can run a phishing campaign at scale, no technical skills required.

Also Read: One Year, 140,000+ Phishing Websites: Impact of Sniper Dz

Meet Lighthouse and Lucid

The two names you need to know are Lighthouse and Lucid.

  • Lucid was first exposed in April by the Swiss cybersecurity firm PRODAFT. It’s believed to be operated by a Chinese-speaking threat actor known as the XinXin group.
  • Lighthouse, on the other hand, is developed by a separate actor (known as Lao Wang) but shows significant overlap in infrastructure, templates, and targeting strategy.

Together, they represent one of the largest PhaaS networks we’ve seen to date.

  • Lucid has targeted 164 brands across 63 countries
  • Lighthouse has targeted 204 brands across 50 countries

And they’re not just cloning login pages. They’re using advanced filtering requiring a specific device, user agent, country, or even a secret path to make sure only the intended victim sees the phishing page.

If you’re not the target? You get redirected to a generic fake shopping page, making it harder for security researchers to catch them in the act. This level of operational security shows just how mature these cybercrime ecosystems have become.

Phishers Are Moving Back to Email

One of the most surprising findings from Netcraft’s report is that criminals are actually moving away from Telegram and Discord for transmitting stolen data.

Instead, they’re going back to… good old-fashioned email.

Why?

  • Email is federated, meaning there’s no central authority to take down a campaign quickly.
  • Creating a throwaway email address is fast, anonymous, and free.
  • Tools like EmailJS allow attackers to capture login data and 2FA codes without hosting their own infrastructure.

Netcraft reports a 25% increase in email-based phishing in just one month. If you thought phishing emails were a thing of the past, think again.

Homoglyph Attacks

Another fascinating and dangerous trend we’re seeing is homoglyph attacks.

Attackers are registering domains that look almost identical to legitimate ones by swapping in characters from other alphabets.

For example, using the Japanese hiragana character “ん”, which at a glance looks like a forward slash.

Over 600 malicious domains using this technique have been found, many targeting cryptocurrency users by luring them into installing fake wallet browser extensions (for MetaMask, Coinbase, Phantom, Trust Wallet, and others).

If you think your team can “spot a phishing link” by just looking at it, this should make you nervous.

How Legitimate Logos Are Fueling Fraud?

Cybercriminals aren’t just after your login credentials anymore. They’re using your brand identity as bait to run full-blown scams.

Recent campaigns have impersonated Delta Airlines, AMC Theatres, Universal Studios, and Epic Records, tricking victims into completing fake “tasks” as part of bogus job offers.

Victims are told they need to deposit $100 in crypto to get started. This is classic advance-fee fraud, but now it’s scaled up with API-driven brand-impersonation templates allowing criminals to spin up hundreds of lookalike sites in minutes.

Also Read: What is Email Spoofing? Definition, Example & Prevention

What This Means for Your Business

If you’re a business owner, CISO, or IT manager, here’s the tough love. You can’t afford to ignore this anymore.

This isn’t just about losing a few credentials; it’s about:

  • Revenue RiskBusiness email compromise (BEC) costs companies billions every year. A successful phishing attack can shut down operations, drain funds, or cause compliance violations.
  • Reputation Damage – Your customers lose trust if they fall for a phishing site using your brand.
  • Legal liability – With regulations like GDPR and the upcoming EU AI Act, failing to secure customer data can lead to heavy fines.

How to Stay Ahead: A Practical Action Plan

Here’s what you should be doing right now to protect your business from PhaaS-driven attacks:

  • Invest in AI-Powered Security Tools – Traditional signature-based antivirus isn’t enough. Use tools that leverage AI to detect anomalies, phishing domains, and malicious behaviour in real-time.
  • Implement Zero-Trust Architecture Assume every login attempt is malicious until proven otherwise. Enforce MFA, device verification, and least-privilege access.
  • Run Red-Team/Blue-Team Exercises – Simulate phishing campaigns inside your organisation. See who clicks, train them, repeat.
  • Monitor for Lookalike Domains – Use domain monitoring services to detect typosquats and homoglyph domains targeting your brand.
  • Stay Current on Threat Intelligence – Subscribe to reports from Netcraft, PRODAFT, and other threat intel providers. The landscape changes monthly. You need to stay informed.
  • Educate Your Employees – Phishing awareness training isn’t a “once a year” thing. Make it part of your culture.
  • Using an automated monitoring system – Endpoint Detection & Response (EDR) and SiteLock Security are designed to catch these attacks early. They watch for suspicious behaviour in real time.

Also Read: Gmail Phishing with Prompt Injection: Tricks Humans and AI. Are You Ready?

Conclusion

The rise of Lighthouse and Lucid shows us where phishing is headed: automation, scalability, and sophistication.

This isn’t going away. In fact, it’s growing faster than many organisations can keep up.

But the companies that win will be the ones that treat cybersecurity like growth marketing: constant iteration, investment, and education.

Don’t wait until you become the next case study. Act now, educate your team, and harden your defences with Cyber Security Services and Solutions.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.