Security Experts Issue Warning As New ‘Darcula’ Phishing Service Targets iOS And Android Users

There’s a new phishing service on the rise that’s targeting both iOS and Android users.

The service dubbed Darcula makes use of over 20,000 domains to trick brands and ends up stealing all of their credentials found on both Android as well as iPhone users' devices across the globe.

So far, 100 nations have been impacted and the feature is still said to be on the rise.

All kinds of businesses are getting impacted including the business sector, financial hubs, and even government and tax institutions. Let’s not forget how they’re carrying out fraud in utility stores and airline companies.

One particular feature of this phishing attempt that’s being highlighted is how it continues to impact those using the RCS protocol that’s seen for Android messaging systems as well as iOS instead of the classic SMS when carrying out phishing messaging.

Security researchers highlighted how the endeavor was first noticed in the summer of 2023 but during that period, it was not deemed high risk as it was only targeting users having high profiles.

Plenty of services in the US and UK were impacted in the form of scams such as the postal service and social media platforms like Reddit. Still, it was not deemed as a major threat as it is now where even the common user is at risk of having its credentials stolen.

Unlike the usual means for carrying out phishing, this technique employs the use of modern and state-of-the-art mechanisms such as Docker and Harbor, not to mention JavaScript. This allows it to be updated over the days and can function without the need for any newer additions like clients downloading phishing kits.

One feature kit gives rise to close to 200 different templates that copy brands and different firms in close to 100 nations. Such landing pages are of the greatest quality and make use of the right type of local language and logos too.

All fraudsters make use of a certain business that they copy and then they’re running setup scripts that are used for installations that link to particular phishing websites and the respective management dashboards on the whole Docker environment.

This system uses some open-source registry to host images from Docker while the actual site gets phished via React. Moreover, researchers mentioned how Darcula only utilizes the topmost domains when conducting phishing attacks as roughly one of those gets support from Cloudflare.

Today, Netcraft has more than 20k domains and over 11k IP addresses and as time goes by, experts highlight the addition of 120 new domains daily.

SMS continues to be abandoned as well where Darcula diverges from classic SMS-based methodology and uses RCS to roll out messages to victims via links to the respective URL.

The benefit of using this technique is that all recipients are more likely now than ever to assume the message they’re getting is authentic and not a scam. Sadly, that’s from the truth and users get tricked as no more safeguards are in place when they use SMS for usual communication.

But the fact that we’ve got iMessage and RCS having safeguards like E2E encryption in place means saying hello to greater security as they block such phishing texts depending on the type of content at large.

Experts are now speaking about PhaaS apps that use alternative means including RCS and iMessage to get their point across and carry out all sorts of activities. But these kinds of protocols do arise with their fair share of limitations by using Apple IDs to roll out messages via a single device.

Image: DIW-Aigen

Read next: These Researchers Might Make the Internet 4.5 Million Times Faster
Previous Post Next Post