Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information and grant unauthorized access.

It’s an effective social engineering technique that can bypass even robust technical security measures. 

Phishing kits and services provide a low-cost, low-effort way to conduct widespread attacks, which makes them attractive options for threat actors seeking financial gains and access to valuable data.

Recently, cybersecurity analysts at Netcraft discovered that threat actors are actively exploiting the Dracula phishing service to attack USPS and global postal services via iMessage.

iPhone Darcula Phishing Attack

‘Dracula’ is a sophisticated Phishing-as-a-Service (PhaaS) platform leveraging modern web technologies like JavaScript, React, Docker, and Harbor.

It has been used for over 20,000 phishing domains conducting high-profile campaigns. 

A key tactic is using iMessage and RCS instead of SMS to bypass filters and leverage user trust for “smishing” attacks impersonating postal services across more than 100 countries. 

This enables uniquely effective data extraction by exploiting messaging platforms’ perceived legitimacy and evading typical SMS-based scam defenses. 

The Dracula platform was developed by a Telegram user and it offers easy deployment of constantly updatable phishing sites with hundreds of templates targeting global brands.

Phishing landing pages (Source – Netcraft)

Unlike typical phishing kits, darcula websites can update in-place with new features and anti-detection measures like changing malicious content paths for obfuscation.

The group monetizes through paid monthly subscriptions for other threat actors, reads the report.

The Darcula PhaaS offers around 200 phishing templates targeting over 100 brands across more than 100 countries, primarily postal services and trusted institutions like utilities, banks, and governments.

Phishing landing pages targeting postal services (Source – Netcraft)

It uses purpose-registered domains spoofing brand names, favoring .top, .com, and other low-cost TLDs, with 32% on Cloudflare. Over 20,000 darcula domains across 11,000 IPs have been detected, with 120 new ones daily in 2024. 

Front pages cloaked with fake domain sale pages, previously redirecting bots to cat breed searches – aligning with darcula’s cat-themed branding.

Anti-detection tactics demonstrate the platform’s sophistication.

darcula anti-monitoring redirecting site crawlers to a cat breed (Source – Netcraft)

Unlike traditional SMS phishing, darcula leverages the encrypted messaging platforms RCS (on Android) and iMessage (Apple) to bypass spam filters and leverage user trust.

darcula phishing messages targeting iMessage users (Source – Netcraft)

RCS/iMessage provides encryption bypassing recent anti-SMS spam legislation, incurs no per-message costs, and overcomes platform security controls through tactics like reply-prompting and device farms. 

While aiding user privacy, end-to-end encryption obfuscates message content from network-level filtering.

Threat actors exploit these advantages for widespread “smishing” campaigns impersonating trusted brands while evading typical SMS defenses. 

Researchers urged users to stay vigilant against unsolicited messages from unrecognized senders and said that anti-phishing tools remain key protection measures.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *