Attackers leverage weaponized iMessages, new phishing-as-a-service platform

Scammers are leveraging the Darcula phishing-as-a-service platform, iMessages and Google Messages to great effect.

The platform allows them to impersonate a variety of brands based in over 100 different countries: postal services, public and private utilities, packet delivery services, financial institutions, government bodies, airlines, and telcos.

What’s unusual about this platform?

“Darcula is cat-themed, with a cat as its Telegram channel image, the administration panel previously being labeled with a cat image, and infrastructure domains such as magic-cat[.]net,” Netcraft researchers say.

But those quirky choices aside, the platform is a serious threat: it allows criminals that are not that tech savvy to automate many of the steps needed to launch a phishing campaign, thus lowering the barrier to entry in the world of cybercrime.

Other interesting aspects of the platfom are:

• Its use of JavaScript, React, Docker, and Harbor
• Its capability to update phishing sites with new features and anti-detection measures without having to remove and re-install the phishing kit

“The Darcula platform has been used for numerous high-profile phishing attacks over the last year, including messages received on both Apple and Android devices in the UK, as well as package scams impersonating United States Postal Service (USPS) highlighted in numerous posts on [Reddit’s subreddit about phishing],” the researchers noted.

The choice to use iMessages and Google Messages (based on the RCS standard) to lead users to the phishing sites is clever:

• They are free to send
• They are more trusted by consumers than regular text messages
• They are end-to-end encrypted, preventing network operators from analyzing their content, thus allowing the messages to evade filters put in place by to block unsolicited and fraudulent SMS messages

iMessages can be sent in bulk via “mass sender” scripts, the researchers also pointed out, as can Google Messages, via Android device farms.

The platform is aimed at serving Chinese-speaking criminals.

“Non-Chinese speaking users can use it if they were to use a translation tool in their browser, but the communications in the Telegram channel and group use Chinese – we’re not aware of there being an English language version but can’t say with 100% certainty that there aren’t other hidden options,” Robert Duncan, VP Product Strategy at Netcraft, told Help Net Security.

Advice for consumers

Previous research by automation engineer Oshri Kalfon, who managed to access the administration panel of one of the phishing pages set up via Darcula, revealed that many targets get fooled into entering their information, as well as the many phishing page templates phishers can choose from.

Brands phishers can impersonate via Darcula (Source: Oshri Kalfon)

The domains hosting the phishing pages are usually not compromised, but purposefully registered and named so that they resemble the relevant brand name, to complete the illusion.

The advice that’s usually given out to consumers on how to avoid SMS-based phishing holds true: be careful when evaluating whether you’ll click on links sent via unsolicited messages or by unknown senders.

“Look for inaccurate grammar, spelling errors, offers that are ‘too good to be true’ or require urgent action. If you’re expecting a message from an organization, navigate to their official website and avoid following links,” Netcraft researchers added.