Some security exploits never die, and others seemingly cannot be killed. When a threat is named after a legendary vampire perhaps we should have expected it to come back from the dead. The real surprise, as security researchers raise the alarm over the Darcula phishing-as-a-service exploit resurfacing, and targeting 100 countries using more than 20,000 registered brand domains to help quench its thirst for iPhone user credential theft, is the way it evades Apple security measures. Here’s what you need to know.

Darcula Rises From The Dead To Suck Credentials From iPhone Users

First spotted in the wild last year by security researcher Oshri Kalfon in July 2023, Darcula has resurfaced and Netcraft’s Harry Everett has issued a new warning to all iPhone users to be onboard the lookout for the bloodthirsty iMessage threat.

Everett describes Darcula as a “new, sophisticated Phishing-as-a-Service (PhaaS) platform used on more than 20,000 phishing domains that provide cyber criminals with easy access to branded phishing campaigns.” The phishing domains in question relate to brands across numerous market sectors and target more than 100 different countries. At least 200 templates exist for would-be attackers to use the Darcula exploit, with postal services, including the United States Postal Service, being among the most popular. Other templates concentrate on institutions and brands that are trusted by consumers worldwide, including utilities, banks, government bodies such as taxation as well as airlines. The Netcraft report reveals that an average of 120 new domains have been hosting Darcula phishing pages every day this year. It certainly looks like the criminal operators behind the campaign have been busy.

Leveraging Trust By Using The Secure iMessage Platform

All phishing schemes look to leverage trust from the victim, and Darcula is no different. This is one reason why it has opted not to focus on sending messages with malicious links to those spoofed brand domains by SMS. There has simply been too much publicity about SMS scams, and the public is generally wary about responding to the “you have a parcel for a delivery” type of bait used. Instead, Darcula is distributed using iMessage on the iPhone and RCS on Android. The reasoning behind this is that iMessage is regarded as a more secure messaging medium than SMS, and for good reason: it was designed to be precisely that.

The end-to-end encryption employed in iMessage is great for user privacy, but it also enables attackers such as the Darcula criminals to bypass security filtering as the content of the messages cannot be analyzed by the network operators. This leaves “Apple’s on-device spam detection and third-party spam filter apps as the primary line of defense preventing these messages from reaching victims,” Netcraft warns.

How Darcula Evades Apple Security Measures For iMessage Users

Darcula even gets around Apple security measures such as requiring that links in an iMessage can only be clicked if you’ve already replied to the account sending it. “To evade this,” Everett says, “one of the templates created by criminals using Darcula is sent to Apple users with a ‘Please reply to Y’ or ‘Please reply to 1’ message.” Once users have replied, the malicious links are then clickable, and the victim will be redirected to the credential-stealing website operated by the criminals.

How To Defend Yourself Against The Darcula Threat

Because the Darcula phishing pages are very well put together, without the usual spelling mistakes or grammatical errors associated with such campaigns of old, use the local language of the country in question and are convincing copies of the brand being spoofed, it sits with users to be extra vigilant from the get-go. This means you need to be on the lookout for messages that appear to be too good to be true. Even if you are expecting notification concerning a parcel delivery, as this is the most common ruse used by Darcula, be alert to where that message is coming from and take special care to look for unusual domains, such as .top for example, and misspellings or hyphens in the brand name. ”If you’re expecting a message from an organization, navigate to their official website and avoid following links,” Everett advises.

An Apple spokesperson suggested concerned users refer to the Recognize and avoid phishing messages, phony support calls, and other scamssupport posting.

Forbes