‘Darcula’ Phishing Scam is Behind All Those “You Have a Delivery” Texts and Emails

KEY TAKEAWAYS

  • A phishing-as-a-service (PhaaS) platform called 'Darcula' has raised alarms by targeting global postal services with SMS phishing attacks.
  • It exploits vulnerabilities in iMessage and Rich Communication Services to send phishing messages, getting people to click on what they think is a trusted link.
  • Netcraft identifies Darcula as a pervasive global scam operation, operating across 20,000 domains, and offering sophisticated phishing templates and tools that evade detection.

One overlooked downside of the artificial intelligence (AI) craze is that it has watered down discussions around cybersecurity — so much so that many cyber incidents have passed under our noses without our notice.

However, when the big incidents strike, we should stop, peer, and then remind ourselves of the need to up our security games.

While last week saw the world fixated on Elon Musk’s Grok-1.5 announcement and Apple’s upcoming iPad Pro and iPad Air launch in May, cybercrime disruptor Netcraft has raised an alarm that global postal services like USPS, DHL, Evri, and USPS in over 100 countries are at risk of a raging ‘smishing’ (SMS phishing) attack from Chinese-language phishing-as-a-service (PhaaS) platform, ‘Darcula.’

Netcraft said that there are more than 20,000 phishing domains that attempt to trick victims into entering sensitive information — believing they are speaking to a legitimate delivery company.

This revelation follows many incidents of cyber attacks targeted at postal services, such as one that shook the UK Royal Mail last year. In that attack, the UK apex postal service suffered a devastating cyber incident that disrupted its overseas delivery service for several months.

Meanwhile, in January, CBS News reported that phishing attacks on postal services across the US are on a quick rise, citing that out of 68 million Americans scammed out of $326 million in phishing scams, smishing topped the list.

Here is a closer look at what Netcraft found and how businesses can shore up their security measures against this form of phishing. 

RCS and iMessage as the Preferred Phishing Lures

Rather than the regular URL link sent via SMS messaging or email, Netcraft says Darcula leverages loopholes in iMessage and Rich Communication Services (RCS), an approach that helps them bypass SMS firewalls. 

This strategy offers two key benefits. Firstly, it enhances the perceived authenticity of the phishing messages, as recipients are more likely to trust messages received via iMessage or RCS. Secondly, the end-to-end encryption provided by both iMessage and RCS makes it more difficult to intercept and block phishing messages based on their content.

Another reason the attackers prefer this method is that distributing URLs via RCS and iMessage is free, and because these types of messages bear the names of popular brands, they could easily exploit consumer trust.

Darcula – The Phisher with the Big Net

Netcraft’s Vice President of Product Strategy, Robert Duncan, characterizes Darcula as the “most pervasive worldwide package scam operation” his company has ever encountered.

Announcing  the study, he said:

“Other operations we have seen recently have been of much smaller scale and more geographically targeted. For example, Frappo/LabHost was much more focused on North America and multinational brands.”

According to Netcraft’s report, an average of 120 new domains hosting Darcula-engineered phishing pages were detected in 2024, with many of the landing pages targeting postal services in many countries, including Australia, Singapore, and Bulgaria. The researchers also recorded over 20,000 Darcula-related domains across 11,000 IP addresses, targeting scores of brands.

Darcula’s primary phishing service involves offering a wide range of templates for setting up phishing sites that mimic well-known brands. Unlike other phishing service providers on the dark web, Netcraft says Darcula appears to have more sophisticated technologies in its arsenal, one of which helps the platform update its phishing sites with new features and measures to evade detection on the fly.

Why Phishing-as-a-Service is on the Rise – and Should be Taken Seriously

Crafting phishing campaigns may seem straightforward at first glance, yet their execution demands significant time and expertise. Stephanie Carruthers, an IBM X-Force research project team lead, revealed that her team invests approximately 16 hours in crafting a single phishing email.

This estimate doesn’t factor in the additional effort required to establish the intricate infrastructure essential for deploying the email and harvesting credentials. So, with a PhaaS platform like Darcula, cybercriminals save more time and scale their phishing attacks.

Again, the dark web, a phrase that had been in the shadows for many years, is now as accessible as any other platform on the web, further making it easiest for the more technical cybercriminals to create and market their phishing services to those who lack the technical skills but want to engage in cybercrime. These services are usually advertised on various online platforms and transactions are typically conducted in cryptocurrency.

The shared nature of the PhaaS model makes it difficult to trace the crime back to a specific individual, as the tools and infrastructure are used by multiple criminals. This model also allows for the cost of criminal activities to be shared among all customers, making it an attractive option for criminals.

The emergence of PhaaS has serious implications for both businesses and individuals. It has not only made cybercrime more accessible to newcomers but also supports the business models of advanced criminals through specialized business-to-business services. This highlights the importance of implementing proper cybersecurity measures against these threats.

What Businesses Can Do to Tighten Things Up

Like every form of phishing attack, the key is vigilance, and it starts at the individual level. Hesitation should be applied before clicking on any messages containing links, irrespective of the sender.

While discussing the way forward around platforms like Darcula, Patrick Harr

CEO at SlashNext, told Techopedia that while apps and messaging platforms will always have exploitable loopholes, having a technology that can help detect phishing sites or malicious apps would help.

He said:

“There will always be loopholes in any platform, and threat actors continue to innovate sophisticated phishing tools to bypass safety measures put in place on any platform. That’s why it’s so critical to have security technology that can detect the credential phishing site or the malicious app. This is the last line of defense that needs to be covered at the users’ endpoint.”

Companies should educate employees on spotting the signs of phishing attempts, like poor grammar, pushy urgency, and URLs that don’t match the supposed brand. Filtering services and anti-phishing browser extensions can also help block known Darcula domains at the network and device level. 

Given that Darcula targets industries reliant on consumer trust, like postal services, financial institutions, government entities, telecommunications companies, and others, Harr points out that 

these industries must work with AI-powered security technology that can help pick up zero-day threats

He said: “It’s critical to leverage AI security technology that can predict and preempt new zero-threats. AI security technology that is learning and adapting to the latest threat landscape is a critical defense layer.”

Meanwhile, Techopedia spoke to “What the Hack?” podcaster Adam Levin this week on the “three M”s of cybersecurity  — minimizing your risk, monitoring your accounts, and managing the damage.

The Bottom Line

A lot has been said about phishing scams and how to figure them out. But one thing is sure: these scams are not going anywhere anytime soon. It involves all of us handling any link with suspicion, as that’s the key: avoiding the rush-to-click syndrome affecting many of us.

While preventing campaigns from phishing platforms entirely may be out of touch, organizations can also mitigate risks by educating consumers, monitoring account activities, shutting down malicious websites, and responding swiftly to reported threats.  

Related Terms

Related Article