A sophisticated phishing-as-a-service (PhaaS) platform called Darcula has set its sights on organizations in over 100 countries leveraging a massive network of over 20,000 spoofed domains to help cybercriminals launch large-scale attacks.
“Using iMessage and RCS instead of SMS to send text messages has the side effect of bypassing SMS firewalls, which are used to great effect to target USPS along with postal services and other established organizations in over 100 countries,” he said Netcraft.
Darcula has been employed in several high-profile phishing attacks over the last year, where smishing messages are sent to both Android and iOS users in the UK, as well as those exploiting package delivery baits impersonating legitimate services like USPS.
Darcula, a Chinese-language PhaaS, is advertised on Telegram and offers support for around 200 templates impersonating legitimate brands that customers can use for a monthly fee to create phishing sites and carry out their malicious activities.
Most models are designed to mimic postal services, but also include public and private services, financial institutions, government entities (e.g., tax departments), airlines, and telecommunications organizations.
Phishing sites are hosted on specially registered domains that spoof their respective brand names to add a veneer of legitimacy. These domains are supported by Cloudflare, Tencent, Quadranet and Multacom.
In total, more than 20,000 Darcula-related domains have been detected across 11,000 IP addresses, with an average of 120 new domains identified per day since the beginning of 2024. Some aspects of the PhaaS service were revealed in July 2023 by Israeli security researcher Oshri Kalfon.
One of Darcula’s interesting additions is its ability to update phishing sites with new features and anti-detection measures without having to remove and reinstall the phishing kit.
“On the front page, Darcula sites display a fake domain for sale/holding page, possibly as a form of obfuscation to hinder takedown efforts,” the UK-based company said. “In previous iterations, Darcula’s anti-tracking mechanism redirected visitors believed to be bots (rather than potential victims) to Google searches for various cat breeds.”
Darcula’s smishing tactics also deserve special attention as they primarily exploit Apple iMessage and the RCS (Rich Communication Services) protocol used in Google Messages instead of SMS, thus evading some filters put in place by network operators to prevent fraudulent messages are delivered to potential victims.
“While end-to-end encryption in RCS and iMessage provides valuable privacy to end users, it also allows criminals to evade the filters required by this legislation by making it impossible for network operators to examine message content, leaving Google and Apple on devices use spam detection and third-party spam filtering apps as the primary line of defense that prevents these messages from reaching victims,” Netcraft added.
“Additionally, they do not incur any cost per message, typical of SMS, thus reducing delivery costs.”
Aside from the move away from traditional SMS-based phishing, another noteworthy aspect of Darcula’s smishing messages is their sneaky attempt to bypass a security measure in iMessage that prevents links from being clickable unless the message is from from a known sender.
This involves asking the victim to reply with a “Y” or “1” message and then reopening the conversation to follow the link. One such message posted on the r/phishing subreddit shows users being persuaded to click on the URL by claiming they have provided an incomplete delivery address for the USPS package.
These iMessages are sent from email addresses such as pl4396@gongmiaq.com and mb6367587@gmail.com, indicating that the threat actors behind the operation are creating fake email accounts and registering them with Apple to send the messages.
Google, for its part, recently said that it is blocking the ability to send messages using RCS on rooted Android devices to reduce spam and abuse.
The ultimate goal of these attacks is to trick recipients into visiting fake sites and handing over their personal and financial information to scammers. There is evidence to suggest that Darcula is aimed at Chinese-speaking electronic crime groups.
Phishing kits can have serious consequences as they allow less experienced criminals to automate many of the steps needed to conduct an attack, thus lowering the barriers to entry.
The development comes amid a new wave of phishing attacks exploiting Apple’s password reset feature, bombarding users with what is called a rapid bombing attack (also known as MFA fatigue) in hopes of hijacking their accounts.
Assuming a user manages to deny all requests, “scammers will then call the victim by spoofing Apple Support in the caller ID, saying that the user’s account is under attack and that Apple Support needs to ‘verify’ a one-time code ,” said security journalist Brian Krebs.
Voice phishers have been found to use victim information obtained from user search websites to increase their chances of success and ultimately “trigger an Apple ID reset code to be sent to the user’s device.” which, if provided, allows attackers to reset the password on the account and lock out the user.
Attackers are suspected to be abusing a loophole in the password reset page on iforgot.apple[.]com to send dozens of password change requests in order to bypass rate-limiting protections.
The findings also follow research by FACCT that SIM swappers transfer a targeted user’s phone number to their device with an embedded SIM (eSIM) to gain unauthorized access to the victim’s online services. The practice is said to have been employed in the wild for at least a year.
This is done by launching an application on the operator’s website or an application to transfer the number from a physical SIM card to an eSIM masquerading as a victim, causing the rightful owner to lose access to the number as soon as the code is generated eSIM QR is activated.
“Having gained access to the victim’s mobile number, cybercriminals can obtain login codes and two-factor authentication for various services, including banks and messaging services, opening up a number of opportunities for criminals to carry out fraudulent schemes “, said security researcher Dmitry Dudkov.