Out of the Shadows – 'Darcula' iMessage and RCS Smishing Attacks Target USPS and Global Postal Service.

Darcula, a Phishing-as-a-service platform first documented by security researcher Oshri Kalfon last summer, is growing in popularity among the cybercriminal community, with Netcraft analysts recently noting in a blog post that they detected 20,0000+ Darcula-related domains across 11,000 IP addresses, targeting more than 100 brands. The Darcula platform which allegedly supports around 200 phishing templates (primarily designed to support postal services but financial institutions, government entities, airlines, and telecom organizations are also at risk of being targeted), was developed using tools like JavaScript, React, Docker, and Harbor. Since its release, the platform has enabled cybercriminals to launch numerous high-profile phishing attacks in the past year. Notably these phishing attacks are being conducted via text messages. Rather than SMS, researchers note the use of iMessage and Rich Communication Services (RCS) protocol for Google Messages to target Android and Apple users, enabling actors to bypass SMS firewalls.

Security Officer Comments:
The use of technologies like JavaScript, React, Docker, and Harbor enables Darcula to automatically push out updates including new features and anti-detection measures without the need to remove and reinstall the kit, making it an attractive tool for cybercriminals.

As noted above, Darcula phishing kits are mainly being used to target postal services like DHL, Evri, and the United States Postal Service. Several phishing attacks have been observed, with actors sending targeted individuals fake package tracking messages containing links designed to redirect unsuspecting recipients to phishing sites masquerading as these postal carriers. These sites are typically .top and .com top-level domains, 32% of which are backed by Cloudflare.

It’s worth noting that there are restrictions in place when clicking on a link that is sent via iMessage. Apple has a security measure in place that prevents links in iMessage from being clicked unless the message is from an account to which the end-user has sent a reply. Interestingly enough, actors leveraging Darcula are bypassing this security mechanism by using a template with a ‘Please reply to Y’ or ‘Please reply to 1’ message. If the recipient replies, this will enable the user to click on the malicious link, further directing them to one of Darcula’s phishing sites.

Suggested Corrections:
Users should be wary of incoming messages from unrecognized senders requesting to click on a URL. In general, messages containing grammatical and spelling errors, and offers that are ‘too good to be true’ or that require urgent action should be avoided. If you are expecting a shipment, for example from USPS, you should defer to the company’s official site for shipping and tracking updates.