Darcula is a new phishing-as-a-service (PhaaS) that targets Android and iPhone consumers in more than 100 countries by using 20,000 domains to impersonate brands and collect login credentials.
With more than 200 templates available to fraudsters, Darcula has been used against a wide range of services and organisations, including the postal, financial, government, tax, and utility sectors as well as telcos and airlines.
One feature that distinguishes the service is that it contacts the targets over the Rich Communication Services (RCS) protocol for Google Messages and iMessage rather than SMS for sending phishing messages.
Darcula's phishing service
Darcula was first discovered by security researcher Oshri Kalfon last summer, but according to Netcraft researchers, the platform is becoming increasingly popular in the cybercrime sphere, having lately been employed across numerous high-profile incidents.
Darcula, unlike previous phishing approaches, uses modern technologies such as JavaScript, React, Docker, and Harbour, allowing for continual updates and new feature additions without requiring users to reinstall the phishing kit.
The phishing kit includes 200 phishing templates that spoof businesses and organisations from over 100 countries. The landing pages are high-quality, with proper local language, logos, and information.
The fraudsters choose a brand to spoof and then run a setup script that installs the phishing site and management dashboard right into a Docker environment.
The Docker image is hosted via the open-source container registry Harbour, and the phishing sites are built with React.
According to the researchers, the Darcula service commonly uses ".top" and ".com" top-level domains to host purpose-registered domains for phishing attacks, with Cloudflare supporting nearly a third of those.
Netcraft has mapped 20,000 Darcula domains to 11,000 IP addresses, with 120 new domains added everyday.
Abandoning SMS
Darcula breaks away from standard SMS-based methods, instead using RCS (Android) and iMessage (iOS) to send victims texts with links to the phishing URL.
The benefit is that victims are more likely to perceive the communication as trusting the additional safeguards that aren’t available in SMS.
Furthermore, because RCS and iMessage use end-to-end encryption, it is impossible to intercept and block phishing messages based on their content.
According to Netcraft, recent global legislative initiatives to combat SMS-based crimes by restricting suspicious communications are likely encouraging PhaaS providers to use other protocols such as RCS and iMessage.
Any incoming communication asking the recipient to click on a URL should be viewed with caution, especially if the sender is unknown. Phishing threat actors will never stop trying with novel delivery techniques, regardless of the platform or app.
Researchers at Netcraft also advise keeping an eye out for misspellings, grammatical errors, unduly tempting offers, and calls to action.
