Netcraft has discovered a new phishing service named Darcula, which utilizes over 20,000 domains to impersonate popular brands and steal user account data from Android and iPhone users in more than 100 countries.
Darcula’s phishing service sets itself apart from others through its use of RICH COMMUNICATION SERVICES for Google Messages and IMessage, making the messages appear more legitimate and able to bypass certain security measures.
The service provides customers with over 200 templates to create phishing pages that mimic the interfaces of well-known organizations, including financial institutions, public services, telecommunication companies, and airlines. These pages are high quality, utilize local languages, logos, and content.
Cybercriminals select a brand to imitate, then launch an installation script that deploys the corresponding phishing site in Docker containers. The system utilizes an open Harbor registry for hosting Docker images, with the sites themselves developed on React.
Analysis from Netcraft reveals that Darcula typically uses top-level domains such as .top and “.com” to host phishing attacks, with approximately one-third of them being protected by Cloudflare. A total of 20,000 domains associated with Darcula were identified, spread across 11,000 IP addresses, and about 120 new domains are added daily.
The shift from SMS to RCS and IMessage by Darcula is aimed at making phishing messages less susceptible to end-to-end encryption, likely in response to advancements in legislation targeting SMS-based cybercrime.
The use of RCS provides recipients with additional assurances, making them more likely to trust the messages they receive. Users are advised to exercise caution with any incoming messages that prompt them to click on links, especially if the sender is unfamiliar. Signs such as poor grammar, spelling errors, overly enticing language, or urgent requests should raise red flags.