‘Darcula’ PhaaS Campaign Sinks Fangs into Victims
A sprawling phishing-as-a-service (PhaaS) campaign that has been running since at least last summer is using more than 20,000 fake domains to target a wide range of organizations in more than 100 countries, illustrating the capabilities of an increasingly popular tool among threat actors.
The unknown hackers are using a platform called “Darcula” (sic) that helps them use some tools that aren’t typical of traditional phishing campaigns, according to threat researchers with NetCraft, a London-based internet services company.
The researchers wrote in a report that the Chinese-language platform has been used for “numerous high-profile phishing attacks” over the last year, sending message to both Apple and Android devices in the UK and package scams impersonating the U.S. Postal Service. The platform was created by a user of the Telegram instant-messaging service who goes by the same name.
The Darcula platform’s 200 phishing templates cover a “large range of brands based in over 100 different countries,” the NetCraft researchers wrote. “The templates primarily target postal services but also other institutions that rely on large amounts of consumer trust, such as public and private utilities, financial institutions, government bodies (tax departments, etc.), airlines, and telecommunication organizations.”
New Twists to Phishing
What the attackers are doing isn’t new, including using text messages to target their victims or to send messages seemingly from a postal service about missed package deliveries.
“These attacks trick users into entering credentials and other sensitive information in the belief they are interacting with legitimate postal organizations,” they wrote.
However, rather than using SMS to send the lure messages, as is commonly done, the Darcula attackers use the iMessage service for Apple devices or the Rich Communication Services (RCS) protocol for Google Messages, enabling them to bypass SMS firewalls put in place by network operators to prevent scam SMS messages from being delivered. The messages distribute malicious URLs.
“The creation of RCS and iMessage was – in part – designed to provide more secure messaging protocols than SMS and MMS, which are now over 30 years old,” the researchers wrote. “These encrypted services are marketed to end users as the safest way to send messages to your network. Subsequently, these messages are often trusted more by consumers and remove a level of skepticism when users see an iMessage vs SMS, for example.”
In addition, Darcula doesn’t use the more typical PHP. Instead, “the platform uses many of the same tools employed by high-tech startups, including JavaScript, React, Docker, and Harbor,” the researchers wrote.
Easy Updating
Another unusual feature is the Darcula phishing websites can be updated in place without the kit needing to be removed and reinstalled. A recent example they saw was a change made to the phishing kit to make the malicious content available through a specific path rather than site’s front page in a move to disguise the attack’s location.
Oshri Kalfon, a security researcher, first detected Darcula last year when he received a suspicious text message. It was a good fake page, but awkward wording, his experience, the high number of SMS phishing campaigns targeting Israel made him check it out.
“Looks like they did a pretty good job on the mirroring,” Kalfon wrote. “The UI looks really similar to the one on Israeli post office official website, but taking a look at the syntax of the Hebrew here, the wording is a bit off, what should have been the ‘Continue’ button is ‘To Continue.’ probably google translated.”
PhaaS on the Rise
The NetCraft researchers said the adoption of the PhaaS kit has accelerated since then, with them seeing an average of 120 new domains hosting Darcula phishing pages a day since the start of the year.
Cybersecurity vendors have reported a rise in PhaaS in recent years, in line with the larger as-a-service trend in the dark web. Like ransomware- and access-as-a-service, PhaaS lets groups pay others to use their phishing kits – which can include phishing pages, fake websites, contact lists of targets, and email templates – sometimes sharing a portion of the money gained.
It also lowers the barrier of entry for less-experienced hackers.
“Usually, creating a phishing campaign requires a broad set of skills,” according to Heimdal Security. “Phishing-as-a-Service enables even a novice to conduct an attack.”
With Darcula, setting up an attack is designed to be easy for the hacker. The platform uses Harbor, an open-source container registry to host Docker images of phishing websites written in React. The scammers select a brand they want to target and run a set-up script that installs the phishing website specific to the brand chosen and the associated administrator panel in Docker.
NetCraft encouraged individuals to be skeptical of links sent from senders they don’t recognize and to look for signs of a phishing lure, such as inaccurate grammar, spelling errors, offers that seem too good to be true, or claims that urgent action is required.