New phishing-as-a-service campaign sinks its teeth into iMessage

A new phishing-as-a-service campaign is sinking its teeth into iMessage.

The PhaaS named “Darcula” is using 20,000 domains to spoof brands and steal credentials from Android and iPhone users in more than 100 countries and across sectors from airlines to utilities. The phishing kit offers 200 phishing templates to use for spoofing brands, showing high-quality landing pages with correct branding and all. 

This vampire-reminiscent campaign is unique in that it uses iMessage and Rich Communication Services (RCS) to send texts – using this method over SMS allows messages sent through the platform to bypass SMS firewalls and can prevent detection of suspicious messages.

Apple security company Jamf’s vice president of Portfolio Strategy, Michael Covington, says he’s not surprised by the approach, however. He notes that because RCS is so widely trusted by users, it has become a perfect attack vector for hackers. 

Here’s what Covington says in a statement to Apple World Today: RCS is an alternative messaging protocol that offers a more feature-rich and interactive messaging experience than traditional SMS. In addition to supporting more characters in each transmission, RCS offers modern enhancements like read receipts, typing indicators, and high-resolution media. From a security perspective, RCS also provides end-to-end encryption, offering a more secure and private messaging experience.

For several years, we have seen attackers exploit modern messaging platforms, like iMessage and WhatsApp, to launch phishing campaigns, so we are not surprised to see RCS added to the list of potential attack vectors. These encrypted services are often considered by end users to be more secure, so there is some inherent trust that is often not present with basic SMS messaging. That said, we believe the benefits of end-to-end encryption and the modern messaging features are worthy upgrades from more outdated communication protocols where privacy is at risk.

Regardless of which messaging protocol or service a user prefers, they should always have their guard up, ready to spot a potential social engineering attack. Hackers are constantly evolving their techniques and the advancements we see in phishing services like Darcula show that nothing is off limits. Everything from the sender, the brand names used within a message, and the messaging protocol itself should be questioned and verified before parting with sensitive information like sensitive credentials.