Darcula phishing service targets iPhone users through iMessage — how to stay safe

 A person that looks like Dracula menacingly holding an iphone.
A person that looks like Dracula menacingly holding an iphone.

Cybercriminals have developed an elaborate new phishing platform that’s currently being used to steal credentials from both iPhone and Android users in over 100 countries.

As reported by BleepingComputer, the new platform has been dubbed Darcula by its creators and it utilizes 20,000 fake domains to impersonate popular brands with over 200 different templates to choose from when launching phishing attacks against targeted users.

While we’ve seen elaborate phishing scams before, what sets this one apart is that instead of using ordinary SMS text messages to send phishing messages, it uses Apple’s iMessage and Google’s RCS protocol to target users.

Whether you’re using one of the best iPhones or one of the best Android phones, here’s everything you need to know about this new phishing service, along with some steps you can take to avoid falling victim to a phishing attack and potentially having your online accounts taken over by hackers.


Fish hook on a keyboard
Fish hook on a keyboard

As with malware-as-a-service offerings, Darcula is distributed on online hacking forums for a price. After paying the necessary fees, hackers can use the platform to launch their own attacks on unsuspecting users.

While Darcula was first discovered last summer by security researcher Oshri Kalfon, the cybercrime detection and disruption company Netcraft has revealed in a new blog post that the Chinese-language phishing platform has recently become even more popular among cybercriminals.

Besides leveraging iMessage and RCS in its attacks, Darcula also employs other modern technologies like JavaScript, React, Docker, and Harbor. This allows for continuous updates to the platform that include new features and templates. Plus, the hackers using this phishing kit don’t need to reinstall it when an update becomes available.

In addition to making it easier for hackers to craft phishing messages, Darcula includes fake landing pages for shipping companies like USPS, DHL, and other popular brands. These fake pages look nearly identical to their legitimate counterparts, and they also don’t have any spelling or grammatical errors, which is often a very easy way to spot a phishing page.

Once an attacker selects a brand they want to impersonate and runs a setup script, Darcula installs a matching phishing site as well as a management dashboard directly into a Docker environment. According to Netcraft, the phishing platform typically uses the “.top” and “.com” top-level domains to host these fake websites.

Moving beyond SMS

Google Messages on Android phone next to Messages app on iPhone
Google Messages on Android phone next to Messages app on iPhone

If you’re wondering why the Darcula phishing platform uses iMessage and RCS instead of SMS, the reason is simple: doing so adds more legitimacy to its phishing messages.

Potential victims are more likely to believe that a message is legitimate if it comes through iMessage or is delivered using RCS. At the same time, since both messaging standards support end-to-end encryption just like the best encrypted messaging apps, phishing messages sent using them can’t be intercepted and blocked based on their contents.

There are some safeguards in place, though. For instance, Apple will ban accounts that send many messages to multiple recipients. At the same time, Google recently added a restriction that prevents rooted Android phones from sending or receiving RCS messages. Still, the hackers using the platform try to get around these restrictions by creating multiple Apple IDs or by using device farms to send a small number of messages from each device.

iMessage has yet another restriction, though. Apple’s messaging service won’t let iPhone users click on a link within a message if they haven’t replied to it first. This is why these phishing messages ask recipients to respond with a “Y” or “1” and then reopen the message to access the link it contains.

How to stay safe from phishing

A woman looking at a smartphone while using a laptop
A woman looking at a smartphone while using a laptop

As is the case with many other cyberattacks, phishing attacks often try to instill a sense of urgency in their victims to get them to take action.

In the examples shared by Netcraft, many of the phishing messages were about undeliverable packages. If you frequently shop online — say during Prime Day, Black Friday or other big shopping days — you’re more likely to see one of these phishing messages and take action as it’s easy to believe that there might be something wrong with one of your orders.

For this reason, you always need to be careful when receiving any kind of message about an online order or a delivery. You want to avoid the ones that ask you to click on a link, especially if you don’t know the recipient. Even then, it’s easy enough to impersonate a company by copying its logo and the language it uses in its messages. This is why you should always stop and take a moment to think first before responding to a suspicious message or clicking on any links within it.

If the message says that a USPS package can’t be delivered, check to see if anything you ordered was shipped using this particular carrier. You also want to check the store’s page to get up-to-date tracking information. Normally, USPS, FedEX, UPS, and other delivery companies don’t send you messages like this. Another thing to look for is odd top-level domains. Most companies in the U.S. just use “.com” so if you see the web address for USPS, but it ends in “.top”, you immediately know that you’re dealing with a phishing message.

Phishing continues to be a very successful attack tactic for cybercriminals and scammers alike, so we won’t likely see them abandoning it anytime soon. This means it’s up to you to check your messages carefully and look out for anything suspicious. When in doubt though, don’t click or reply to these types of messages even if they could actually be legitimate.

More from Tom's Guide