Darcula Phishing Service Strikes: Targets Android & iPhone
Netcraft has unveiled the emergence of a new phishing service named Darcula, which manipulates over 20,000 domains to mimic popular brands, aiming to pilfer Android and iPhone users’ credentials across more than 100 countries.
The Phishing-as-a-Service (PHaaS) platform, Darcula, distinguishes itself from similar services through its novel approach to distributing phishing messages. Rather than relying on traditional SMS, malefactors employ Rich Communication Services (RCS) protocols for Google Messages and iMessage. This strategy renders the messages more convincing and circumvents certain security measures.
Darcula offers its clientele more than 200 templates for crafting phishing pages that replicate the interfaces of well-known organizations, including financial institutions, governmental agencies, telecommunication firms, and airlines. The pages are of high quality, utilizing local languages, logos, and content to enhance their authenticity.
Cybercriminals select a brand to imitate and initiate an installation script that deploys the corresponding phishing site within a Docker environment. The system utilizes the open container registry Harbor to host the Docker image, while the sites themselves are developed using React.
Netcraft analysts note that Darcula typically employs top-level domains “.top” and “.com” for hosting phishing attacks, with approximately a third of them shielded by Cloudflare. A total of 20,000 domains associated with Darcula, spread across 11,000 IP addresses, have been identified. It’s reported that about 120 new domains are added daily.
The shift from SMS to RCS and iMessage reduces the phishing messages’ susceptibility to content-based blocking, thanks to the support for end-to-end encryption (E2EE). Legislative advancements aimed at combating cybercrime through SMS likely spurred the transition to these protocols.
The advantage of utilizing RCS lies in the recipients’ heightened likelihood of trusting the message, confidence in the additional assurances unavailable with SMS.
Users are advised to exercise caution with all incoming messages that prompt clicking on links, especially from unknown senders. Inconsistencies in grammar, spelling errors, overly enticing offers, or calls for immediate action should arouse suspicion.
