A new version of the phishing-as-a-service (PhaaS) tool known as darcula enables scammers to build custom phishing pages that impersonate any other website with just a link.Netcraft revealed in a blog post how the new darcula-suite 3.0, successor to darcula V2, is currently being tested by cybercriminals and is expected to have an official release by the end of February 2025. Netcraft, which first discovered and reported on the darcula tool in March 2024, got its hands on a test version of the new PhaaS suite, revealing its latest “next-generation” features.The previous version of darcula included phishing templates for more than 200 brands in 100 countries, but brand impersonation was limited to the brands darcula had available.In darcula-suite 3.0, fraudsters can now input any link into darcula’s page builder and the tool will create a clone of the site that attackers can then customize by replacing HTML elements with scam templates such as credit card forms.The site imitation is pulled off by using a browser automation tool, similar to the legitimate Puppeteer software, to export the HTML and all other required assets from the webpage linked by the attacker, Netcraft researchers explained.Darcula users can utilize the tool’s interface to restyle the selected phishing templates to match the targeted site’s branding, create multiple pages for separate steps such as login, payment and confirmation, and export the phishing site as a “.cat-page” bundle that can be reuploaded to the darcula admin panel, making for a smooth “DIY phishing” experience.This feature not only greatly lowers the barrier for fraudsters with little-to-no technical or coding experience, but also expands the attack capabilities to target countless brands and victims.Over the past year, Netcraft says it detected and blocked more than 96,000 phishing sites and nearly 31,000 IP addresses tied to darcula and has also had more than 20,000 impersonation sites taken down on behalf of its clients.These results not only demonstrate the scope of darcula’s use by cybercriminals, but also shows that its evasion techniques are not foolproof.Darcula uses several techniques to avoid detection, including by filtering certain IP addresses from accessing phishing sites, blocking crawlers from indexing the sites, and blocking device types such as non-mobile devices from viewing the sites.A global proxy network can be used to bypass these evasive filters and allow cybersecurity teams to investigate, and ultimately disrupt, phishing sites created by darcula.In addition to site generation, darcula-suite provides a sleek administrator dashboard for users to manage their phishing campaigns. Scammers can use darcula-suite 3.0 to create an image of a victim’s stolen payment card, which can then be scanned into a digital wallet.Netcraft noted that cybercriminals often scan several of these stolen cards onto burner phones that they then offer for sale, citing one example of a user advertising a phone loaded with dozens of cards on a darcula-related Telegram channel.Also included with the phishing kit is a performance dashboard allowing users to visualize their campaigns’ performance, and Telegram integration that enables users to receive Telegram notifications whenever a victim submits information to their phishing sites.While the final version of darcula-suite 3.0 may differ from the final release, companies and consumers should be aware of the threat of its brand-impersonation features and evasion techniques.“Consumers can protect themselves by being wary of messages and links sent from unrecognized senders. While the fraud hallmarks of bad grammar and spelling errors continue to decline as generative AI becomes more prevalent among bad actors, offers and messages that are ‘too good to be true’ or require urgent action should continue to be treated with significant skepticism,” the Netcraft researchers wrote.As mentioned, cybersecurity teams can use global proxy networks to access and investigate potential phishing sites impersonating their organization’s or others’ brands and use techniques like abuse box monitoring to stay on top of threats targeting organization members, Netcraft said.