The Phishing Platform Automating Cybercrime

The Phishing Platform Automating Cybercrime

image provided by pixabay

This post is also available in: heעברית (Hebrew)

Darcula is a new Chinese-language phishing-as-a-service platform with more than 20,000 phishing domains that target organizations in over 100 countries.

While the concept of an all-in-one phishing platform is nothing new, Darcula will let criminals bypass built-in defenses more easily. The platform allows cybercriminals to craft phishing campaigns that are branded and high-level, as reported by Netcraft researchers: “Rather than the more typical PHP, the platform uses many of the same tools employed by high-tech startups, including JavaScript, React, Docker, and Harbor.”

According to Cybernews, the tools can receive continuous updates so the users of the platform don’t need to reinstall phishing kits every time a new feature is added. Furthermore, Darcula employs Apple’s iMessage and Android’s RCS (which are both end-to-end encrypted), meaning that it is impossible to intercept and block phishing campaigns only based on the content of the message. Moreover, experts state that the use of perceivably “safer alternatives” to SMS makes users let their guard down as they’re more inclined to trust iMessage and RCS.

While the Darcula platform was initially spotted in 2023, Netcraft researchers note that it has been widely adopted by fraudsters worldwide. “The Darcula platform has been used for numerous high-profile phishing attacks over the last year, including messages received on both Apple and Android devices in the UK, as well as package scams impersonating the United States Postal Service (USPS),” said the researchers.

Darcula claims to support hundreds of phishing templates and cover brands from over a hundred countries around the world. The platform lets scammers select a brand they want to impersonate, then run a script that installs a dedicated phishing site – essentially a one-stop shop for phishers.

The report mentions that postal services and other large institutions are impersonated most often, counting on users to trust the brands, with the platform’s most common top-level domains being .top and .com.