A new phishing-as-a-service (PhaaS) named ‘Darcula’ has emerged, utilizing 20,000 domains to impersonate brands and target Android and iPhone users across over 100 countries. Unlike traditional methods, Darcula leverages the Rich Communication Services (RCS) protocol for Google Messages and iMessage, enhancing the perceived legitimacy of phishing messages. This platform, first documented by security researcher Oshri Kalfon, offers over 200 templates and has been involved in numerous high-profile phishing attacks, including package scams and impersonations of various services and organizations.
Darcula’s approach signifies a departure from conventional SMS-based tactics, instead utilizing RCS and iMessage to deliver phishing messages, which are more likely to be perceived as authentic by recipients. Despite the advantages of end-to-end encryption in these protocols, cybercriminals face challenges, such as restrictions imposed by Apple and Google. For instance, Apple restricts accounts sending high volumes of messages, while Google has implemented restrictions for rooted Android devices.
The phishing kit offered by Darcula provides fraudsters with a wide range of templates, allowing them to impersonate brands and organizations effectively. The landing pages are meticulously designed, featuring localized language, logos, and content. However, cybercriminals must navigate obstacles such as Apple’s requirement for recipients to reply to messages before clicking on URL links, which could reduce the effectiveness of the phishing attack.
As phishing threat actors continue to experiment with new delivery methods, users are advised to remain vigilant against suspicious messages urging them to click on URLs. Paying attention to grammar errors, overly attractive offers, or urgent calls to action can help users identify potential phishing attempts, regardless of the platform or application. Additionally, users should exercise caution when responding to unfamiliar senders or messages requesting personal information.
