Cybercriminals have developed an elaborate new phishing platform.

As reported by BleepingComputer, the new platform, named Darcula by its creators, impersonates popular brands with over 200 different templates to choose from when launching phishing attacks against target users to use 20,000 fake domains.

We have seen elaborate phishing scams before, but what makes this one unique is that instead of using regular SMS text messages to send phishing messages, they use Apple's iMessage and Google's RCS protocols to targeting users.

Whether you use one of the best iPhones or one of the best Android phones, here's everything you need to know about this new phishing service and what you need to know about falling victim to a phishing attack and becoming a hacker and some steps you can take to avoid the possibility of having your online account hijacked by a hacker.

Like Malware-as-a-Service, Darcula is distributed for a fee on online hacking forums. Upon paying the required fee, hackers can use this platform to launch their own attacks against unsuspecting users.

Darcula was first discovered last summer by security researcher Oshri Kalfon, but cybercrime detection and interdiction firm Netcraft revealed in a new blog post that this Chinese language phishing platform has recently become even more popular among cybercriminals in a new blog post.

Besides utilizing iMessage and RCS in its attacks, Darcula also employs the latest technologies such as JavaScript, React, Docker, and Harbor. This allows for continuous updates to the platform, including new features and templates. Additionally, hackers using this phishing kit do not need to reinstall the updates when they become available.

In addition to making it easier for hackers to craft phishing messages, Darkura includes fake landing pages for shipping companies such as USPS, DHL, and other popular brands. These fake pages look almost identical to the legitimate ones and are free of spelling and grammatical errors.

Once the attacker selects the brand they wish to impersonate and runs the setup script, Darcula installs the matching phishing site and administrative dashboard directly into the Docker environment. According to Netcraft, this phishing platform is typically hosts these fake sites using the ".top" and ".com" top-level domains.

You may wonder why the Darcula phishing platform uses iMessage or RCS instead of SMS, but the reason is simple: doing so adds legitimacy to the phishing message.

Potential victims are more likely to believe a message is legitimate if it is sent through iMessage or delivered using RCS. At the same time, neither messaging standard supports end-to-end encryption as well as the best encrypted messaging apps, so phishing messages sent using them cannot be intercepted or blocked based on their content.

However, there are some safeguards. For example, Apple bans accounts that send many messages to multiple recipients. At the same time, Google recently added restrictions that prevent rooted Android phones from sending and receiving RCS messages. Still, hackers using the platform attempt to circumvent these restrictions by creating multiple Apple IDs and using device farms to send a small number of messages from each device.

However, iMessage has yet another limitation. Apple's messaging service does not allow iPhone users to click on links in messages if they have not first replied. Thus, these phishing messages ask the recipient to reply with a "Y" or "1" and then re-open the message to access the included link.

Like many other cyber attacks, phishing attacks often attempt to instill a sense of urgency in the victim to take action.

In the examples shared by Netcraft, many of the phishing messages were about undelivered packages. Frequent online shoppers, such as on Prime Day, Black Friday, and other big shopping days, are more likely to see such phishing messages, think there might be something wrong with their order, and take action.

For this reason, one should always be cautious when receiving any kind of message regarding an online order or delivery. In particular, you want to avoid anything that asks you to click on a link, especially if you do not know the recipient. Even then, it is easy to impersonate the company by copying their logo or the language used in the message. This is why you should always stop and think a little before replying to a suspicious message or clicking on a link in it.

If the message is about a USPS package not arriving, check to see if the order was shipped using this particular carrier. Also, check the store's page for the latest tracking information. Usually, USPS, FedEX, UPS, and other shipping companies do not send such messages. Another thing to look for is strange top-level domains. Most companies in the U.S. use ".com," so if the USPS web address ends in ".top," you will immediately know it is a phishing message.

Phishing continues to be a very successful attack tactic for cybercriminals and fraudsters. This means it is up to you to check the message carefully and look for anything suspicious. However, if in doubt, do not click or reply to the message, even if it is legitimate.