[ad_1]
A new phishing-as-a-service (PhaaS) named Darcula uses 20,000 domains to impersonate brands and steal credentials from Android and iPhone users in over 100 countries.
Darcula is used by a variety of services and organizations, from the postal, financial, government and tax sectors to telecommunications, airlines and utilities, and offers fraudsters over 200 templates to choose from. doing.
One of the features of this service is that it uses Google Messages and iMessage’s Rich Communication Services (RCS) protocol to reach its targets, rather than SMS to send phishing messages.
Darcula Phishing Service
Darcula was first documented last summer by security researcher Oshri Kalfon, but Netcraft analysts say the platform has become increasingly popular in the cybercrime space and has recently been used in several high-profile cases. It is reported that.
Unlike traditional phishing techniques, Darcula employs modern technologies such as JavaScript, React, Docker, and Harbor, allowing clients to continually update and add new features without having to reinstall their phishing kits. Masu.
This phishing kit features 200 phishing templates impersonating brands and organizations from over 100 countries. Landing pages are high quality and use the correct local language, logo, and content.
The scammer selects a brand to impersonate and runs a setup script that installs the corresponding phishing site and its administrative dashboard directly into the Docker environment.
The system uses the open source container registry Harbor to host Docker images, and the phishing site is developed using React.
According to the researchers, the Darcula service typically uses “.top” and “.com” top-level domains to host domains registered for phishing attacks, and about one-third of It is said to be supported by Cloudflare.
Netcraft maps 20,000 Darcula domains to 11,000 IP addresses, with 120 new domains added every day.
SMS abandonment
Darcula deviates from traditional SMS-based tactics and instead utilizes RCS (Android) and iMessage (iOS) to send messages to victims containing links to phishing URLs.
The advantage of this is that recipients are more likely to believe that the communication is legitimate, relying on additional safeguards not available with SMS.
Additionally, RCS and iMessage support end-to-end encryption, making it impossible to intercept and block phishing messages based on their content.
Netcraft believes that recent global regulatory efforts aimed at curbing SMS-based cybercrime by blocking suspicious messages could lead to PhaaS platforms moving to alternative protocols such as RCS and iMessage. commented that it is high.
However, these protocols come with their own set of limitations that cybercriminals must overcome.
For example, Apple bans accounts that send large numbers of messages to multiple recipients, and Google recently implemented the limit Prevents rooted Android devices from sending and receiving RCS messages.
Cybercriminals attempt to override these restrictions by creating multiple Apple IDs and using device farms to send a small number of messages from each device.
An even more difficult hurdle is iMessage’s safeguard, which allows URL links to be clicked only if the recipient replies to the message.
To circumvent this tactic, phishing messages instruct recipients to reply with a “Y” or “1” to reopen the message and follow the link. This process can create friction and reduce the effectiveness of phishing attacks.
Users should treat all incoming messages that prompt them to click on a URL with suspicion, especially if the sender is not recognized. Regardless of platform or app, phishers continue to experiment with new delivery methods.
Netcraft researchers also recommend paying attention to inaccurate grammar, misspellings, overly attractive offers, or urgent calls to action.
[ad_2]
Source link
