____________________
Summary: The ‘Darcula’ phishing-as-a-service operation is a sophisticated and pervasive scam targeting consumers worldwide.
Key Point 🦇:
– Darcula has created 19,000 phishing domains in cyberattacks against over 100 countries
– The platform offers branded phishing campaigns for a subscription fee of $250 per month
– Darcula uses iMessage and RCS to bypass SMS firewalls
– The platform targets consumers with fake package delivery scams
– Darcula boasts support for around 200 phishing templates targeting various brands
– Phishing websites generated using Darcula can be updated on-the-fly to add new features and anti-detection functionality
———————
Phishing-as-a-service has come of age with what’s being billed as the most pervasive worldwide package scam operation to date.
Chinese-language, phishing-as-a-service platform “Darcula” has created 19,000 phishing domains in cyberattacks against more than 100 countries, researchers say. The platform offers cybercriminals easy access to branded phishing campaigns for subscription prices of around $250 per month, according to researchers at Internet infrastructure security vendor Netcraft.
Phishing-as-a-service platforms are not new, but Darcula raises the bar with more technical sophistication. It runs many of the same tools employed by application developers including JavaScript, React, Docker, and Harbor.
Darcula uses iMessage and RCS (Rich Communication Services) rather than SMS to send text messages — a feature that allows scam messages sent via the platform to bypass SMS firewalls, which normally block the delivery of suspicious messages.
Package Delivery Scam
The Darcula platform offers easy deployment of phishing sites with hundreds of templates targeting worldwide brands, including Kuwait Post, UAE-based telco Etisalat, Jordan Post, Saudi Post, Australia Post, Singapore Post, and postal services in South Africa, Nigeria, Morocco, and more.
Unlike recent attacks such as Fluffy Wolf, Darcula scams typically target consumers rather than businesses.
Phishing attacks using text messages, aka smishing, have been a hazard for years. Cybercriminals attempt to use “missed package” messages or similar to trick prospective marks into visiting bogus sites — disguised as postal carriers or banks — and handing over their payment card details or personal information. Google has taken steps to block RCS messages from rooted phones but the effort has only being partially successful.
Israeli security researcher Oshri Kalfon started investigating Darcula last year after receiving a scam message in Hebrew.
Kalfron uncovered myriad clues about the operation of the platform after tracing the roots of the scam back to a control site whose admin panel was easy to hack because scammers had forgotten to change the default login credentials.
The Darcula platform boasts support for around 200 phishing templates, covering a range of brands. Postal services worldwide are the prime target but other consumer-facing organizations including utilities, financial institutions, government bodies (tax departments, etc), airlines, and telecom providers are also on the roster.
Purpose-built — rather than hacked legitimate domains — are a characteristic of Darcula-based scams. The most common top-level domains (TLDs) used for darcula are .top and .com, followed by numerous low-cost generic TLDs. Around a third (32%) of Darcula pages abuse Cloudflare, an option favored in Darcula’s documentation. Tencent, Quadranet, and Multacom are also getting abused as hosts.
Phishing Nets
Since the start of 2024, Netcraft has detected an average of 120 new domains hosting Darcula phishing pages per day.
Robert Duncan, vice president of product strategy at Netcraft, describes Darcula as the “most pervasive worldwide package scam operation” his company has ever come across.
“Other operations we have seen recently have been of much smaller scale and more geographically targeted,” Duncan says. “For example, Frappo/LabHost was much more focused on North America and multinational brands.”
Unlike typical (last generation) phishing kits, phishing websites generated using Darcula can be updated on-the-fly to add new features and anti-detection functionality.
For example, a recent Darcula update changed the kit to make the malicious content available through a specific path (i.e. example.com/track), rather than the front page (example.com), Netcraft says. The tactic disguises an attacker’s location.
On the front page, Darcula sites typically display a fake domain for a sale/holding page. Previous versions redirected crawlers and bots to Google searches for various cat breeds.
Under the bonnet, Darcula uses the open source container registry Harbor to host Docker images of phishing websites written in React. Cybercriminals that rent out the technology select a brand to target before running a setup script that installs a brand-specific phishing website and an admin panel in Docker.
Evidence suggests that the operation is largely built for Chinese language-speaking cybercriminals.
“Based on what we’ve observed, we believe that Darcula is primarily or exclusively using Chinese, with external templates in other languages being created by those using the platform,” Duncan says.
Block and Tackle
Many of the frequently recommended defenses against phishing apply here for protecting against scams generated via Darcula: avoid clicking links in unexpected messages, and instead go directly to the purported source’s website, such as the postal service, for example.
Enterprises, meanwhile should employ commercial security platforms to block access to known phishing sites, Duncan says.
“An interesting youtube video that may be related to the article above”