'Darcula' Phishing-as-a-Service Operation Bleeds Victims Worldwide

Phishing-as-a-service has come of age with what's being billed as the most pervasive worldwide package scam operation to date.

Chinese-language, phishing-as-a-service platform "Darcula" has created 19,000 phishing domains in cyberattacks against more than 100 countries, researchers say. The platform offers cybercriminals easy access to branded phishing campaigns for subscription prices of around $250 per month, according to researchers at Internet infrastructure security vendor Netcraft.

Phishing-as-a-service platforms are not new, but Darcula raises the bar with more technical sophistication. It runs many of the same tools employed by application developers including JavaScript, React, Docker, and Harbor.

Darcula uses iMessage and RCS (Rich Communication Services) rather than SMS to send text messages — a feature that allows scam messages sent via the platform to bypass SMS firewalls, which normally block the delivery of suspicious messages.

Package Delivery Scam

The Darcula platform offers easy deployment of phishing sites with hundreds of templates targeting worldwide brands, including Kuwait Post, UAE-based telco Etisalat, Jordan Post, Saudi Post, Australia Post, Singapore Post, and postal services in South Africa, Nigeria, Morocco, and more.

Unlike recent attacks such as Fluffy Wolf, Darcula scams typically target consumers rather than businesses.

Phishing attacks using text messages, aka smishing, have been a hazard for years. Cybercriminals attempt to use "missed package" messages or similar to trick prospective marks into visiting bogus sites — disguised as postal carriers or banks — and handing over their payment card details or personal information. Google has taken steps to block RCS messages from rooted phones but the effort has only being partially successful.

Israeli security researcher Oshri Kalfon started investigating Darcula last year after receiving a scam message in Hebrew.

Kalfron uncovered myriad clues about the operation of the platform after tracing the roots of the scam back to a control site whose admin panel was easy to hack because scammers had forgotten to change the default login credentials.

The Darcula platform boasts support for around 200 phishing templates, covering a range of brands. Postal services worldwide are the prime target but other consumer-facing organizations including utilities, financial institutions, government bodies (tax departments, etc), airlines, and telecom providers are also on the roster.

Purpose-built — rather than hacked legitimate domains — are a characteristic of Darcula-based scams. The most common top-level domains (TLDs) used for darcula are .top and .com, followed by numerous low-cost generic TLDs. Around a third (32%) of Darcula pages abuse Cloudflare, an option favored in Darcula's documentation. Tencent, Quadranet, and Multacom are also getting abused as hosts.

Phishing Nets

Since the start of 2024, Netcraft has detected an average of 120 new domains hosting Darcula phishing pages per day.

Robert Duncan, vice president of product strategy at Netcraft, describes Darcula as the "most pervasive worldwide package scam operation" his company has ever come across.

"Other operations we have seen recently have been of much smaller scale and more geographically targeted," Duncan says. "For example, Frappo/LabHost was much more focused on North America and multinational brands."

Unlike typical (last generation) phishing kits, phishing websites generated using Darcula can be updated on-the-fly to add new features and anti-detection functionality.

For example, a recent Darcula update changed the kit to make the malicious content available through a specific path (i.e. example.com/track), rather than the front page (example.com), Netcraft says. The tactic disguises an attacker's location.

On the front page, Darcula sites typically display a fake domain for a sale/holding page. Previous versions redirected crawlers and bots to Google searches for various cat breeds.

Under the bonnet, Darcula uses the open source container registry Harbor to host Docker images of phishing websites written in React. Cybercriminals that rent out the technology select a brand to target before running a setup script that installs a brand-specific phishing website and an admin panel in Docker.

Evidence suggests that the operation is largely built for Chinese language-speaking cybercriminals.

"Based on what we've observed, we believe that Darcula is primarily or exclusively using Chinese, with external templates in other languages being created by those using the platform," Duncan says.

Block and Tackle

Many of the frequently recommended defenses against phishing apply here for protecting against scams generated via Darcula: avoid clicking links in unexpected messages, and instead go directly to the purported source's website, such as the postal service, for example.

Enterprises, meanwhile should employ commercial security platforms to block access to known phishing sites, Duncan says.