Monday, October 7, 2024
HomeAppleiPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Published on

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information and grant unauthorized access.

It’s an effective social engineering technique that can bypass even robust technical security measures. 

Phishing kits and services provide a low-cost, low-effort way to conduct widespread attacks, which makes them attractive options for threat actors seeking financial gains and access to valuable data.

- Advertisement - EHA

Recently, cybersecurity analysts at Netcraft discovered that threat actors are actively exploiting the Dracula phishing service to attack USPS and global postal services via iMessage.

iPhone Darcula Phishing Attack

‘Dracula’ is a sophisticated Phishing-as-a-Service (PhaaS) platform leveraging modern web technologies like JavaScript, React, Docker, and Harbor.

It has been used for over 20,000 phishing domains conducting high-profile campaigns. 

A key tactic is using iMessage and RCS instead of SMS to bypass filters and leverage user trust for “smishing” attacks impersonating postal services across more than 100 countries. 

This enables uniquely effective data extraction by exploiting messaging platforms’ perceived legitimacy and evading typical SMS-based scam defenses. 

The Dracula platform was developed by a Telegram user and it offers easy deployment of constantly updatable phishing sites with hundreds of templates targeting global brands.

Phishing landing pages (Source – Netcraft)

Unlike typical phishing kits, darcula websites can update in-place with new features and anti-detection measures like changing malicious content paths for obfuscation.

The group monetizes through paid monthly subscriptions for other threat actors, reads the report.

The Darcula PhaaS offers around 200 phishing templates targeting over 100 brands across more than 100 countries, primarily postal services and trusted institutions like utilities, banks, and governments.

Phishing landing pages targeting postal services (Source – Netcraft)

It uses purpose-registered domains spoofing brand names, favoring .top, .com, and other low-cost TLDs, with 32% on Cloudflare. Over 20,000 darcula domains across 11,000 IPs have been detected, with 120 new ones daily in 2024. 

Front pages cloaked with fake domain sale pages, previously redirecting bots to cat breed searches – aligning with darcula’s cat-themed branding.

Anti-detection tactics demonstrate the platform’s sophistication.

darcula anti-monitoring redirecting site crawlers to a cat breed (Source – Netcraft)

Unlike traditional SMS phishing, darcula leverages the encrypted messaging platforms RCS (on Android) and iMessage (Apple) to bypass spam filters and leverage user trust.

darcula phishing messages targeting iMessage users (Source – Netcraft)

RCS/iMessage provides encryption bypassing recent anti-SMS spam legislation, incurs no per-message costs, and overcomes platform security controls through tactics like reply-prompting and device farms. 

While aiding user privacy, end-to-end encryption obfuscates message content from network-level filtering.

Threat actors exploit these advantages for widespread “smishing” campaigns impersonating trusted brands while evading typical SMS defenses. 

Researchers urged users to stay vigilant against unsolicited messages from unrecognized senders and said that anti-phishing tools remain key protection measures.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...

Microsoft & DOJ Dismantles Hundreds of Websites Used by Russian Hackers

Microsoft and the U.S. Department of Justice (DOJ) have disrupted the operations of Star...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

19.6K+ Public Zimbra Installations Vulnerable to Code Execution Attacks – CVE-2024-45519

A critical vulnerability in Zimbra's postjournal service, identified as CVE-2024-45519, has left over 19,600...

North Korean Hackers Attempted To Steal Sensitive Military Data

Diehl Defence anti-aircraft missiles from Baden-Württemberg are successfully intercepting Russian attacks on Kyiv, according...

Hackers Abuse HTML Smuggling Technique To Deliver Sophisticated Phishing Page

Phishing attackers employed an HTML smuggling technique to deliver a malicious payload, as the...