Mandiant has discovered a new Phishing-as-a-Service (PHaaS) Caffeine platform. Interestingly, here new clients do not require invitations or referrals to connect, and they do not need to get administrator approval or bring a “guarantor” from a hacker forum. In addition, Caffeine is aimed mainly at Russian and Chinese services, which is also very unusual.
“This platform has an intuitive interface and relatively low cost, providing its criminal clients with many features and tools to organize and automate the main elements of phishing campaigns,” the researchers say in their report.
Experts discovered Caffeine after investigating a large-scale phishing attack that targeted one of Mandiant’s customers to steal Microsoft 365 credentials.
The report states that one of the main dangers of the Caffeine platform is its accessibility. So, to create an account in Caffeine, invites and referrals are not needed, and immediately after creating an account, the criminal gets access to the “shop”, which contains tools for conducting phishing campaigns and a toolbar.
Only after that, the user must pay a subscription, which costs $250 per month, $450 for three months, or $850 for six months, depending on the features. Since it is quite expensive compared to other PhaaS services, Caffeine tries to offset the cost by offering anti-discovery and anti-analysis systems, as well as support services, to its customers.
Among the main features offered by the platform are the ability to create custom phishing kits, manage redirect and bait pages, dynamically generate URLs hosting payloads, set up IP blacklists (geo-blocking, CIDR-based blocking, etc.). below) and track the statistics of your campaigns.
It is also emphasized that the platform allows operators to use Use your own Python or PHP-based utility to send phishing emails to targets, further reducing the need for external tools.
Caffeine currently offers several options for phishing templates, including templates for Microsoft 365 and various honeypots for Chinese and Russian services. Mandiant believes that Caffeine operators will further expand this list in the future.
Although Mandiant includes a guide to detecting Caffeine phishing emails with its report, analysts emphasize that the PhaaS confrontation is a “cat and mouse game” and it is likely that criminals will use new methods of evasion, after which the report can be considered outdated.