This kit offers 200 phishing templates that impersonate brands and organizations in over 100 countries to trick victims.
If the tools for prevention and protection of user data on the Internet are evolving, unfortunately it is the same song for cyberhackers, who do not lack creativity to improve their attacks. The latest and also one of the most sophisticated, called Darcula, comes in the form of a phishing-as-a-service (PhaaS) offering a catalog of 200 models of ready-to-use trap kits.
This highly structured system uses more than 20,000 domains to imitate popular brands or websites to deceive users, whom they contact not by SMS, but through the RCS protocol for Google Messages and iMessage. Darcula has already spread across 100 countries around the world.
Darcula, a highly sophisticated operation
Unlike traditional phishing methods, Darcula uses modern technologies such as JavaScript, React, Docker and Harbor, enabling continuous updates and additions of new features without the need for “clients” to reinstall phishing kits.
The Phishing Kit offers 200 phishing templates that impersonate brands and organizations in over 100 countries. The hacked pages are of high quality and use the local language of the targeted victims, logos and content that are virtually undetectable from the originals.
Fraudsters select a brand to impersonate and run a setup script that installs the corresponding phishing site and its management dashboard directly into a Docker environment.
The system uses the open source container registry Harbor to host the Docker image, while the phishing sites are developed using React.
Researchers from the English Internet Security Society netcraft claim that the Darcula service typically uses the “.top” and “.com” top-level domains to host domains specifically registered for phishing attacks, while around a third of these are backed by Cloudflare.
Netcraft has mapped 20,000 Darcula domains across 11,000 IP addresses, with 120 new domains added daily. Enough to siphon off an astronomical amount of personal data from Android and iOS users.
Apple and Google counterattack to protect Darcula users
Darcula distinguishes itself from traditional SMS-based tactics and instead uses RCS (Android) and iMessage (iOS), which was recently forced to adopt this communications standard to send messages to victims with URL links phishing.
The benefit is that recipients are more likely to perceive the communication as legitimate, trusting the additional guarantees that are not available in SMS.
Additionally, because RCS and iMessage support end-to-end encryption, it is impossible to intercept and block phishing messages based on their content. Hackers therefore use the protection tools of the protocols they hack for their own service.
netcraft comments that recent global legislative efforts to combat SMS-based cybercrime by blocking suspicious messages are likely pushing PhaaS platforms toward alternative protocols such as RCS and iMessage.
However, these protocols come with their own restrictions that cybercriminals must overcome.
For example, Apple prohibits accounts from sending large volumes of messages to multiple recipients, and Google recently implemented a restriction preventing rooted Android devices from sending or receiving RCS messages.
Cybercriminals attempt to circumvent these limitations by creating multiple Apple IDs and using device farms, such as in China, to send a small number of messages from each device.
A more difficult obstacle is a protection in iMessage that allows recipients to click on a URL link only if they have replied to the message.
To circumvent this measure, the phishing message asks the recipient to respond with a “Y” or “1” and then reopen the message to follow the link. This process can create friction that can reduce the effectiveness of the phishing attack.
Users should treat all incoming messages asking them to click on URLs with suspicion, especially if the sender is not recognized. Regardless of platform or application, phishing threat actors will continue to experiment with new delivery methods.
The researchers of netcraft also recommend paying attention to grammatical errors, spelling mistakes, overly attractive offers or calls for urgent action.
Source : netcraft, Bleeping Computer
0