A sophisticated Phishing-as-a-Service (PhaaS) platform called Darkula By leveraging a vast network of more than 20,000 fake domain names, it helps cybercriminals launch large-scale attacks, targeting organizations in more than 100 countries.
“Using iMessage and RCS instead of SMS to send text messages has the side effect of bypassing SMS firewalls, which are used to target the USPS as well as the Postal Service and other established organizations in more than 100 countries,” Netcraft said.
Darcula was involved in several high-profile phishing attacks last year, in which phishing messages were sent to Android and iOS users in the UK, in addition to attacks that exploited the lure of package delivery by impersonating legitimate services such as the USPS. .
Darcula is a Chinese PhaaS advertised on Telegram that offers support for approximately 200 templates impersonating legitimate brands, which customers can use for a monthly fee to build phishing sites and perform malicious activities.
Most templates are designed to mimic the postal service, but they also include public and private utilities, financial institutions, government agencies (such as tax authorities), airlines, and telecommunications organizations.
Phishing websites are hosted on specially registered domains that spoof the corresponding brand name to increase the appearance of legitimacy. These domains are supported by Cloudflare, Tencent, Quadranet and Multacom.
In total, more than 20,000 Darcula-related domains have been detected across 11,000 IP addresses, with an average of 120 new domains discovered every day since the beginning of 2024. Israeli security researcher Oshri disclosed certain aspects of the PhaaS service Calfon in July 2023.
An interesting new addition to Darcula is its ability to update phishing sites with new features and anti-detection measures without having to delete and reinstall the phishing kit.
“On the homepage, the Darcula website displays a fake domain sale/holding page, which may be a form of disguise to disrupt removal efforts,” the UK-based company said. “In previous iterations, Darcula’s The anti-surveillance mechanism redirects visitors thought to be bots (rather than potential victims) to Google searches for various cat breeds.”
Darcula’s scam tactics also deserve special attention, as they primarily exploit the RCS (Rich Communication Services) protocol used in Apple iMessage and Google Messages rather than SMS, thereby circumventing some of the controls that network operators have put in place to prevent scam messages from being sent to potential victims. filter.
“While end-to-end encryption in RCS and iMessage provides end users with valuable privacy, it also allows criminals to evade the filtering required by this legislation by making it impossible for network operators to inspect the content of messages, thereby allowing Google and Apple to Spam detection and third-party spam filtering applications left on the device are the primary lines of defense in preventing these messages from reaching victims,” Netcraft added.
“Additionally, they do not incur any fees per message, which is typical for text messages, thus reducing delivery costs.”
In addition to being different from traditional SMS-based phishing, another noteworthy aspect of Darcula’s phishing messages is that they covertly attempt to bypass a security measure in iMessage that prevents the link from being clicked. Unless the message comes from a known sender.
This requires instructing the victim to reply with a “Y” or “1” message and then reopen the conversation to click the link. One such message posted on the r/phishing subreddit shows a user claiming to have provided an incomplete USPS package delivery address and was persuaded to click on the URL.
These iMessages were sent from email addresses such as pl4396@gongmiaq.com and mb6367587@gmail.com, indicating that the threat actors behind this operation were creating fake email accounts and registering them with Apple to send messages.
Google recently said it was blocking the ability to send messages using RCS on rooted Android devices to reduce spam and abuse.
The ultimate goal of these attacks is to trick recipients into visiting fake websites and handing over their personal and financial information to scammers. There is evidence that Darcula targets Chinese-speaking electronic crime groups.
Phishing kits can have serious consequences because they allow less skilled criminals to automate many of the steps required to carry out an attack, thereby lowering the barrier to entry.
The development comes amid a new wave of phishing attacks exploiting Apple’s password reset feature. bomb users Through so-called instant bombing (also known as MFA fatigue) attacks, they hope to hijack their accounts.
Assuming the user manages to deny all requests, “the scammer will call the victim and spoof Apple support on the caller ID, saying that the user’s account has been compromised and Apple support needs to ‘verify’ a one-time code,” Security Reporter Brian Krebs said.
Voice phishers were found to be using victim information obtained from people searching the website to increase their likelihood of success, and ultimately “triggered an Apple ID reset code to be sent to the user’s device” which, if provided, allowed the attacker to reset Set the account password and lock the user.
The perpetrators are suspected to be abusing a flaw in the iforgot.apple password reset page[.]com sends dozens of password change requests in a way that bypasses rate limit protection.
FACCT’s research also found that SIM swappers are transferring target users’ phone numbers to their own devices with embedded SIMs (eSIMs) to gain unauthorized access to victims’ online services. This practice is said to have been used in the wild for at least a year.
這是透過在運營商網站上啟動應用程式或偽裝成受害者的應用程式將號碼從實體SIM 卡轉移到eSIM 來實現的,從而導致合法所有者在生成eSIM QR 碼後就無法訪問該號碼並啟用settings.
Security researcher Dmitry Dudkov said: “After cybercriminals obtain the victim’s mobile phone number, they can obtain access codes and two-factor authentication for various services, including banking and instant messaging services, allowing the criminals to implement fraud schemes. There are a lot of opportunities available.”
