Darcula Phishing-as-a-Service Operation Bleeds Victims Worldwide
Pervasive and inexpensive phishing kit encompasses hundreds of templates targeting Kuwait Post, Etisalat, Jordan Post, Saudi Post, Australia Post, Singapore Post, and postal services in South Africa, Nigeria, Morocco, and more.
Phishing-as-a-service has come of age with whats being billed as the most pervasive worldwide package scam operation to date.
Chinese-language, phishing-as-a-service platform Darcula has created 19,000 phishing domains in cyberattacks against more than 100 countries, researchers say. The platform offers cybercriminals easy access to branded phishing campaigns for subscription prices of around $250 per month, according to researchers at Internet infrastructure security vendor Netcraft.
Phishing-as-a-service platforms are not new, but Darcula raises the bar with more technical sophistication. It runs many of the same tools employed by application developers including JavaScript, React, Docker, and Harbor.
Darcula uses iMessage and RCS (Rich Communication Services) rather than SMS to send text messages — a feature that allows scam messages sent via the platform to bypass SMS firewalls, which normally block the delivery of suspicious messages.
The Darcula platform offers easy deployment of phishing sites with hundreds of templates targeting worldwide brands, including Kuwait Post, UAE-based telco Etisalat, Jordan Post, Saudi Post, Australia Post, Singapore Post, and postal services in South Africa, Nigeria, Morocco, and more.
Unlike recent attacks such as
Fluffy Wolf
, Darcula scams typically target consumers rather than businesses.
Phishing attacks using text messages, aka
smishing
, have been a hazard for years. Cybercriminals attempt to use
missed package messages
or similar to trick prospective marks into visiting bogus sites — disguised as postal carriers or banks — and handing over their payment card details or personal information. Google has taken
steps to block RCS messages from rooted phones
but the effort has only being partially successful.
Israeli security researcher Oshri Kalfon started investigating Darcula last year after receiving a scam message in Hebrew.
Kalfron uncovered
myriad clues about the operation of the platform
after tracing the roots of the scam back to a control site whose admin panel was easy to hack because scammers had forgotten to change the default login credentials.
The Darcula platform boasts support for around 200 phishing templates, covering a range of brands. Postal services worldwide are the prime target but other consumer-facing organizations including utilities, financial institutions, government bodies (tax departments, etc), airlines, and telecom providers are also on the roster.
Purpose-built — rather than hacked legitimate domains — are a characteristic of Darcula-based scams. The most common top-level domains (TLDs) used for darcula are .top and .com, followed by numerous low-cost generic TLDs. Around a third (32%) of Darcula pages abuse Cloudflare, an option favored in Darculas documentation. Tencent, Quadranet, and Multacom are also getting abused as hosts.
Since the start of 2024, Netcraft has
detected an average of 120 new domains hosting Darcula
phishing pages per day.
Robert Duncan, vice president of product strategy at Netcraft, describes Darcula as the most pervasive worldwide package scam operation his company has ever come across.
Other operations we have seen recently have been of much smaller scale and more geographically targeted, Duncan says. For example, Frappo/LabHost was much more focused on North America and multinational brands.
Unlike typical (last generation) phishing kits, phishing websites generated using Darcula can be updated on-the-fly to add new features and anti-detection functionality.
For example, a recent Darcula update changed the kit to make the malicious content available through a specific path (i.e. example.com/track), rather than the front page (example.com), Netcraft says. The tactic disguises an attackers location.
On the front page, Darcula sites typically display a fake domain for a sale/holding page. Previous versions redirected crawlers and bots to Google searches for various cat breeds.
Under the bonnet, Darcula uses the open source container registry Harbor to host Docker images of phishing websites written in React. Cybercriminals that rent out the technology select a brand to target before running a setup script that installs a brand-specific phishing website and an admin panel in Docker.
Evidence suggests that the operation is largely built for Chinese language-speaking cybercriminals.
Based on what weve observed, we believe that Darcula is primarily or exclusively using Chinese, with external templates in other languages being created by those using the platform, Duncan says.
Many of the frequently recommended defenses against phishing apply here for protecting against scams generated via Darcula: avoid clicking links in unexpected messages, and instead go directly to the purported sources website, such as the postal service, for example.
Enterprises, meanwhile should employ commercial security platforms to block access to known phishing sites, Duncan says.
Tags:
Darcula Phishing-as-a-Service Operation Bleeds Victims Worldwide