The latest phishing-as-a-service (PhaaS), Darcula, is an initiative utilising over 20,000 domains to mimic brands and steal credentials from both Android and iPhone users across 100 countries.
Darcula has targeted a wide array of services and institutions, spanning postal, financial, governmental, and taxation departments, as well as telcos, airlines, and utility companies, providing fraudsters with access to over 200 templates.
What sets this service apart is its utilisation of the Rich Communication Services (RCS) protocol within Google Messages and iMessage, departing from the conventional SMS method to reach its targets with phishing messages.
The Darcula phishing platform initially came to light last summer through the research of security experts. However, analysts have now observed a surge in its popularity within the cybercrime realm, noting its recent involvement in numerous prominent incidents.
In contrast to conventional phishing techniques, Darcula utilises contemporary technologies such as JavaScript, React, Docker, and Harbor. This facilitates ongoing updates and the integration of new features without necessitating clients to reinstall the phishing kits.
The phishing kit has a collection of 200 templates designed to mimic brands and organisations across over 100 countries. These landing pages are of superior quality, incorporating accurate local language, logos, and content.
The scammers choose a brand to mimic and execute a setup script, which then installs the corresponding phishing website along with its management dashboard directly into a Docker environment.
The system utilises the open-source container registry Harbor for hosting Docker images, while phishing sites are developed using React.
According to researchers, the Darcula service typically employs ".top" and ".com" top-level domains for hosting purpose-registered domains for phishing attacks, with approximately one-third of these domains backed by Cloudflare.
20,000 Darcula domains across 11,000 IP addresses have been identified, with 120 new domains added daily.
Moving away from SMS
Darcula breaks away from conventional SMS-based tactics, opting instead for RCS (Android) and iMessage (iOS) to distribute messages containing links to phishing URLs.
This approach offers the advantage of recipients perceiving the communication as more legitimate, trusting additional safeguards not available in SMS. Since RCS and iMessage support end-to-end encryption, intercepting and blocking phishing messages based on their content becomes impossible.
Recent global legislative efforts to combat SMS-based cybercrime by blocking suspicious messages are likely pushing PhaaS platforms towards alternative protocols like RCS and iMessage.
However, these protocols present their own challenges that cybercriminals must overcome.
Apple prohibits accounts that send large quantities of messages to numerous recipients, while Google has recently imposed a restriction preventing rooted Android devices from sending or receiving RCS messages.
The cybercriminals aim to avoid these limitations by generating numerous Apple IDs and utilising device farms to dispatch a limited number of messages from each device. A tougher hurdle to overcome is a safeguard within iMessage that permits recipients to click on a URL link solely after replying to the message.
To bypass this precaution, the phishing message directs the recipient to reply with either a 'Y' or '1' before reopening the message to access the link. However, this additional step may introduce friction that potentially diminishes the effectiveness of the phishing attack.
Moving forward
It's crucial for users to approach any incoming messages prompting them to click on URLs with caution, particularly if the sender is unfamiliar. Phishing threat actors will persist in exploring novel delivery techniques across various platforms and apps.
It’s always important to stay vigilant for signs such as poor grammar, spelling mistakes, overly enticing offers, or demands for immediate action.
Exercises such a phishing training and assessments can help combat employee mistakes and further strengthen your first line of security.
