iPhone users, beware! Darcula phishing service targeting iMessage

Recently, cybersecurity analysts at Netcraft uncovered threat actors actively exploiting the Dracula phishing service to target USPS and global postal services via iMessage.

IPhone Darcula Phishing Attack

“Dracula” is an advanced Phishing-as-a-Service (PhaaS) platform utilizing contemporary web technologies such as JavaScript, React, Docker, and Harbor.

Deployed in over 20,000 phishing domains, it conducts notable campaigns.

A notable strategy involves leveraging iMessage and RCS instead of SMS, bypassing filters and capitalizing on user trust for “smishing” attacks impersonating postal services across 100+ countries.

This approach enables remarkably effective data extraction by exploiting the perceived legitimacy of messaging platforms and evading conventional SMS-based scam defenses.

Originally crafted by a Telegram user, the Dracula platform facilitates effortless deployment of continually updated phishing sites, boasting hundreds of templates targeting global brands.

The Darcula phishing kit stands out for its ability to update seamlessly with new features and anti-detection measures, such as altering malicious content paths for obfuscation.

According to the report, the group monetizes its operations through paid monthly subscriptions for other threat actors.

The Darcula PhaaS provides approximately 200 phishing templates aimed at over 100 brands in more than 100 countries, focusing primarily on postal services and trusted institutions like utilities, banks, and governments.

It employs purpose-registered domains mimicking brand names, often utilizing .top, .com, and other budget-friendly TLDs, with 32% hosted on Cloudflare. A total of over 20,000 Darcula domains spanning 11,000 IPs have been identified, with 120 new domains added daily in 2024.

Front pages are disguised with faux domain sale pages, previously redirecting bots to searches for cat breeds, in line with Darcula’s cat-themed branding.

The utilization of anti-detection tactics underscores the platform’s sophistication.

In contrast to conventional SMS phishing, Darcula utilizes encrypted messaging platforms like RCS (on Android) and iMessage (on Apple devices) to evade spam filters and exploit user trust.

RCS/iMessage encryption circumvents recent anti-SMS spam legislation, incurring no per-message costs and bypassing platform security controls with tactics like reply-prompting and device farms.

Although it enhances user privacy, end-to-end encryption obscures message content from network-level filtering.

Threat actors exploit these advantages for widespread “smishing” campaigns, impersonating trusted brands while eluding typical SMS defenses.

Researchers caution users to remain vigilant against unsolicited messages from unknown senders and emphasize the importance of anti-phishing tools as essential protective measures.