A new phishing service has been detected sporting a unique way of approaching iOS and Android users.
The Phishing-as-a-Service (PhaaS) tool, called “Darcula” and uncovered by researchers at Netcraft, stands out from the crowd as it reaches out to its victims via the Rich Communication Services (RCS) protocol for Google Messages and iMessage, instead of the usual Short Message System (SMS).
There are two reasons for the move to RCS, they explain, with the first one being an improved sense of legitimacy of the messages. The second one is that RCS messages are end-to-end encrypted, making them impossible to intercept, or block based solely on the contents of the message.
Thousands of domains and IP addresses
It’s impossible to say how many people received these smishing messages, but we do know that they’re located in more than 100 countries around the world.
Hackers who sign up for the service can impersonate dozens of organizations, choosing between more than 200 phishing templates. After paying for the subscription, the threat actors can choose one of many companies in the postal, financial, government, tax, telecommunications, airlines, and utility verticals, and get a dedicated phishing website with properly aligned fonts, logo images, and more.
The researchers described the phishing websites as “high quality”.
“The Darcula platform has been used for numerous high-profile phishing attacks over the last year, including messages received on both Apple and Android devices in the UK, as well as package scams impersonating United States Postal Service (USPS) highlighted in numerous posts on Reddit’s /r/phishing,” the researchers explained in their writeup.
The PhaaS apparently has some 20,000 domains, across 11,000 IP addresses. More than 100 new domains are being added to the tool, every day.
As usual, the best way to defend against phishing is to use common sense. If the message is unexpected, sounds strange, or too good to be true, extra caution is advised.
Via BleepingComputer