Phishing as a service has come of age with what is being called the most pervasive packet scam operation globally to date.
The Chinese-language phishing-as-a-service platform “Darcula” created 19,000 phishing domains in cyberattacks against more than 100 countries, researchers say. According to researchers at internet infrastructure security provider Netcraft, the platform offers cybercriminals easy access to branded phishing campaigns for subscription prices of around $250 per month.
Phishing platforms as a service are not new, but Darcula raises the bar with greater technical sophistication. It runs many of the tools used by application developers, including JavaScript, React, Docker, and Harbor.
Darcula uses iMessage and RCS (Rich Communication Services) rather than SMS to send text messages, a feature that allows scam messages sent via the platform to bypass SMS firewalls, which normally block the delivery of suspicious messages.
Parcel delivery scam
The Darcula platform offers easy implementation of phishing sites with hundreds of templates targeting brands around the world, including Kuwait Post, UAE-based telecommunications company Etisalat, Jordan Post, Saudi Post. Australia Post, Singapore Post and postal services in South Africa, Nigeria, Morocco and more.
Unlike recent attacks like Naughty wolfDarcula scams typically target consumers rather than businesses.
Phishing attacks via text messages, i.e smishing, have been a danger for years. Cyber criminals attempt to use “packet missed” messages. or similar to trick potential counterfeiters into visiting fake sites – disguised as postal carriers or banks – and providing their payment card details or personal information. Google took it steps to block RCS messages from rooted phones but the effort was only partially successful.
Israeli security researcher Oshri Kalfon was the last to begin investigating Darcula. year after receiving a scam message in Hebrew.
Calfron discovered a myriad of clues about the functioning of the platform after tracing the scam’s roots to a control site whose admin panel was easy to hack because the scammers forgot to change the default login credentials.
The Darcula platform boasts support for around 200 phishing patterns, covering a wide range of brands. Postal services around the world are the primary focus, but other consumer-facing organizations are also on the roster, including utilities, financial institutions, government bodies (tax departments, etc.), airlines, and telecommunications providers.
Purpose-built, rather than hacked, legitimate domains are a feature of Darcula-based scams. The most common top-level domains (TLDs) used for Darcula are .top and .com, followed by numerous low-cost generic TLDs. About a third (32%) of Darcula pages abuse Cloudflare, a favored option in the Darcula documentation. Tencent, Quadranet and Multacom also suffer host abuse.
Phishing networks
As of early 2024, Netcraft has detected an average of 120 new domains hosting Darcula phishing pages per day.
Robert Duncan, vice president of product strategy at Netcraft, describes Darcula as “the most pervasive global package scam operation” his company has ever encountered.
“Other operations we have seen recently have been much smaller in scale and more geographically targeted,” Duncan says. “For example, Frappo/LabHost was much more focused on North America and multinational brands.”
Unlike typical (latest generation) phishing kits, phishing websites generated using Darcula can be updated on the fly to add new features and anti-detection capabilities.
For example, a recent update to Darcula modified the kit to make malicious content available through a specific path (e.g. example.com/track), rather than the front page (example.com), Netcraft says. The tactic hides the attacker’s location.
On the first page, Darcula sites typically display a fake domain for a sales/retention page. Previous versions redirected crawlers and bots to Google searches for various cat breeds.
Under the hood, Darcula uses the open source Harbor container registry to host Docker images of phishing websites written in React. Cybercriminals who rent the technology select a brand to target before running a setup script that installs a brand-specific phishing website and admin panel in Docker.
Evidence suggests that the operation is largely designed for Chinese-speaking cybercriminals.
“Based on what we’ve observed, we believe Darcula uses mostly or exclusively Chinese, with external templates in other languages created by those using the platform,” Duncan says.
Block and tackle
Many of the often recommended defenses against phishing apply here to protect yourself from scams generated through Darcula: Avoid clicking on links in unexpected messages and instead go directly to the website of the supposed source, such as the postal service.
Companies, meanwhile, should use commercial security platforms to block access to known phishing sites, Duncan says.