Darcula: The New Phishing-as-a-Service Targeting Android and iPhone Users Worldwide

by | Mar 28, 2024 | News

Post Views: 428

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

A sophisticated phishing-as-a-service (PhaaS) operation dubbed ‘Darcula’ has emerged, utilizing over 20,000 domains to impersonate brands and extract credentials from Android and iPhone users across more than 100 countries.

Darcula’s reach extends across various sectors, from postal and financial services to government agencies and telecommunications providers, offering cybercriminals a selection of over 200 templates for their fraudulent activities.

Landing pages available in the Darcula kit (Netcraft)

What sets Darcula apart is its utilization of the Rich Communication Services (RCS) protocol, employed by Google Messages, and iMessage instead of traditional SMS for delivering phishing messages to targets.

Initially brought to light by security researcher Oshri Kalfon last summer, Darcula has gained traction in the cybercrime community, being implicated in several notable phishing incidents, including scams affecting users in the UK and package fraud schemes mimicking the United States Postal Service (USPS).

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Unlike conventional phishing methods, Darcula leverages modern technologies like JavaScript, React, Docker, and Harbor, allowing for seamless updates and feature enhancements without the need for clients to reinstall phishing kits.

Featuring 200 phishing templates localized for various countries, Darcula’s landing pages are meticulously crafted, incorporating authentic language, logos, and content tailored to specific regions.

The platform streamlines the setup process for fraudsters, enabling them to select a brand to impersonate and deploy the corresponding phishing site and management dashboard within a Docker environment.

Darcula primarily utilizes “.top” and “.com” top-level domains for hosting its purpose-registered domains, with approximately one-third of these domains being supported by Cloudflare.

In a departure from SMS-based tactics, Darcula leverages RCS (Android) and iMessage (iOS) to deliver phishing messages to victims, capitalizing on the perceived legitimacy and enhanced security features offered by these protocols.

RCS message sent from Darcula (Netcraft)

Trending: Digital Forensics Tool: mailMeta

While global efforts to combat SMS-based cybercrime have prompted a shift towards alternative protocols like RCS and iMessage, cybercriminals must navigate the restrictions imposed by these platforms, such as Apple’s limitations on high-volume messaging and Google’s restrictions on rooted Android devices.

Despite these challenges, Darcula operators employ various tactics to circumvent restrictions, including the creation of multiple Apple IDs and the use of device farms to send messages. Additionally, phishing messages instruct recipients to reply before accessing links, introducing friction that may diminish the effectiveness of the attack.

Phishing message sent through iMessage (Netcraft)

As phishing threat actors continue to innovate and experiment with new delivery methods, users are urged to remain vigilant and skeptical of unsolicited messages, particularly those urging immediate action or containing grammatical errors and spelling mistakes.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: hackread.com

Source Link