Darcula phishing: iPhone users targeted via iMessage


Darcula, the novel phishing-as-a-service platform, employs over 20,000 phishing domains and targets organizations in more than 100 countries.

The Chinese-language Darcula platform allows cybercrooks to craft high-level, branded phishing campaigns, Netcraft researchers claim. While all-in-one phishing platforms are nothing new, Darcula will enable criminals to bypass built-in defenses more easily.

“Rather than the more typical PHP, the platform uses many of the same tools employed by high-tech startups, including JavaScript, React, Docker, and Harbor,” researchers said.

Because the tools can receive continuous updates, the platform’s users don’t need to reinstall phishing kits every time a new feature is added.

Additionally, the platform employs iMessage, Apple’s messaging service, and Android’s RCS, which are end-to-end encrypted, meaning that it’s impossible to intercept and block phishing campaigns based solely on the message content.

Moreover, the use of perceivably safer alternatives to SMS lets users guard down as they’re more inclined to trust iMessage and RCS, researchers claim.

While the platform was first spotted last year, Netcraft researchers noted that it’s been widely adopted by fraudsters worldwide.

“The Darcula platform has been used for numerous high-profile phishing attacks over the last year, including messages received on both Apple and Android devices in the UK, as well as package scams impersonating United States Postal Service (USPS),” researchers said.

Darcula claims to support hundreds of phishing templates, covering brands from over a hundred countries around the world. According to the report, postal services and other large institutions are impersonated most often, banking on users’ trusting the brands.

The platform allows scammers to select a brand they want to impersonate and run a script that installs a dedicated phishing site. In essence, the platform is a one-stop shop for phishers.

According to the report, the platform’s most common top-level domains (TLDs) are .top and .com.

“Cloudflare’s platform is used by 32% of Darcula pages, with Cloudflare’s services being recommended by Darcula’s own documentation to avoid exposing the underlying server’s IP address,” reads the report.