A new phishing service has been discovered with a unique way to target iOS and Android users.
The Phishing-as-a-Service (PhaaS) tool, called “Darcula” and discovered by Netcraft researchers, stands out from the crowd because it reaches its victims through the Rich Communication Services (RCS) protocol for Google Messages and iMessage , instead of the usual Short Message System (SMS).
There are two reasons for the switch to RCS, they explain, the first being an improved sense of legitimacy of the messages. The second is that RCS messages are end-to-end encrypted, making them impossible to intercept or block based solely on the content of the message.
Thousands of domains and IP addresses
It’s impossible to say how many people have received these smishing messages, but we do know that they are in more than 100 countries around the world.
Hackers who sign up for the service can impersonate dozens of organizations and choose from more than 200 phishing templates. After paying for the subscription, the threat actors can choose one of many companies from the postal, financial, government, tax, telecommunications, aviation and utility sectors, and get a special phishing website with properly aligned fonts, logo images and more.
The researchers describe the phishing websites as “high quality”.
“The Darcula platform has been used for numerous high-profile phishing attacks over the past year, including messages received on both Apple and Android devices in the UK, as well as parcel fraud involving the identity of the United States Postal Service (USPS). imitated, as highlighted in numerous posts on Reddit’s /r/phishing,” the researchers explained in their article.
The PhaaS apparently has about 20,000 domains, spread over 11,000 IP addresses. More than 100 new domains are added to the tool every day.
As usual, the best way to protect yourself from phishing is to use common sense. If the message is unexpected, sounds strange or too good to be true, extra caution is needed.
Through BleepingComputer