March 27, 2024 at 06:14PM
Summary: ‘Darcula’ is a sophisticated phishing-as-a-service (PhaaS) using 20,000 domains to target Android and iPhone users in over 100 countries. It employs modern techniques like RCS and iMessage to send phishing messages and offers over 200 templates. Cybercriminals are adapting to legislation by embracing alternative protocols but face challenges. Users are advised to remain vigilant against phishing threats.
Key points from the meeting notes:
– A new phishing-as-a-service (PhaaS) named ‘Darcula’ employs modern technologies such as JavaScript, React, Docker, and Harbor, enabling continuous updates and new feature additions without clients needing to reinstall the phishing kits.
– It approaches targets using the Rich Communication Services (RCS) protocol for Google Messages and iMessage instead of SMS for sending phishing messages, making it more difficult to block and intercept phishing messages.
– The phishing kit offers 200 phishing templates that impersonate brands and organizations in more than 100 countries, with high-quality landing pages using correct local language, logos, and content.
– Darcula uses “.top” and “.com” top-level domains to host purpose-registered domains for the phishing attacks, with roughly one-third of those backed by Cloudflare.
– Recent global legislation efforts aimed at curbing SMS-based cybercrime are likely pushing PhaaS platforms towards alternative protocols such as RCS and iMessage. However, these protocols come with their own sets of restrictions that cybercriminals have to overcome, such as restrictions on high volumes of messages and interception of URL links.
– To go around measures in iMessage that only allow recipients to click on a URL link if they have replied to the message, the phishing message instructs the recipient to reply with a ‘Y’ or ‘1’ and then reopen the message to follow the link.
– Netcraft researchers recommend paying attention to inaccurate grammar, spelling errors, overly attractive offers, or calls to urgent actions in incoming messages and urge users to treat all messages urging them to click on URLs with suspicion, especially if the sender is not recognized.