Delivery of packages, messages from public services, tax services, or even airlines… Until now, the majority of phishing campaigns carried out using text messages (smishing) took place via SMS. But in recent months, phishing-as-a-service (PhaaS) has been spreading across the world, targeting its victims via the RCS protocol, used on Android (notably with Google Messages), and via iMessage for iOS users.
Over 200 different phishing templates
In a report published on March 27, cybersecurity researchers at Netcraft said they detected more than 20,000 domains linked to “Darcula” across 11,000 IP addresses, impersonating more than 100 brands and in more than 100 countries. Darcula reportedly supports 200 phishing models, primarily targeting postal services like DHL, EVRi, or even the USPS, the American postal service. Other models target public services, financial institutions, government agencies, airlines and even telecommunications.
Advertisement
Unlike other, more common phishing methods, the “Darcula” attack uses more sophisticated techniques. Using JavaScript, React, Docker or Harbor, phishing sites can be continually updated, and new features and anti-detection measures can be added. This prevents the cyberattacker from having to delete his “phishing kit” to benefit from the update. The researchers spotted a modification to make malicious content accessible via a specific path, rather than via the home page, in order to hide the location where the user will be trapped.
With end-to-end encryption, no blocking from content
From a technical point of view, “Darcula” uses the open source Harbor container registry. Hackers select the brand to spoof, run a setup script that installs the appropriate phishing site and associated dashboard. Typically, this PhaaS uses top-level domains, like “.com” or “.top” to host phishing domains. The pages include brand logos, the local language of the victims and the content of official sites.
Using RCS protocols and through iMessage is likely to trick more users, as recipients may perceive the communication as legitimate. Since these technologies support end-to-end encryption, it is impossible to intercept and block phishing messages based on their content. In 2023, Google chose to make the RCS protocol its default sending option in Google Messages. Additionally, according to Netcraft, Apple is expected to support the RCS protocol on iOS this year.
Apple and Google are trying to protect themselves
Apple and Google have taken steps to strengthen their security mechanisms. So, in iMessage, sent links can only be clicked if the message comes from a number or account to which the user has previously sent a reply. However, the hackers behind “Darcula” can bypass the system, by sending the following message: “please reply with Y” or “please reply with 1”. If the user sends a single character, the link then becomes clickable. Google, for its part, has decided to block RCS messaging on rooted (jailbroken) phones in order to reduce spam.
Advertisement
To prevent these kinds of attacks, Netcraft recommends paying attention to grammatical errors, spelling errors, and offers “too good to be true”. Also, it is better to visit the official website directly rather than going through the links sent via RCS or iMessage.
Selected for you