Mandiant has discovered a new Phishing-as-a-Service (PHaaS) Caffeine phishing platform. Interestingly, here new clients do not require invitations or referrals to connect, and they do not need to get administrator approval or bring a “guarantor” from a hacker forum.
In addition, Caffeine is aimed mainly at Russian and Chinese services, which is also very unusual.Let me remind you that we also talked that Hackers Attack Russian Defense Contractor Through MHTML Bug, and also that New Phishing Campaign Targets Microsoft Office 365 Credentials.
Experts discovered Caffeine after investigating a large-scale phishing attack that targeted one of Mandiant’s customers to steal Microsoft 365 credentials.
Attack scheme
The report states that one of the main dangers of the Caffeine platform is its accessibility. So, to create an account in Caffeine, invites and referrals are not needed, and immediately after creating an account, the criminal gets access to the “shop”, which contains tools for conducting phishing campaigns and a toolbar.
Only after that, the user must pay a subscription, which costs $250 per month, $450 for three months, or $850 for six months, depending on the features. Since it is quite expensive compared to other PhaaS services, Caffeine tries to offset the cost by offering anti-discovery and anti-analysis systems, as well as support services, to its customers.
Caffeine rates, according to the hacker forum ads
Among the main features offered by the platform are the ability to create custom phishing kits, manage redirect and bait pages, dynamically generate URLs hosting payloads, set up IP blacklists (geo-blocking, CIDR-based blocking, etc.). below) and track the statistics of your campaigns.
It also highlights that the platform allows operators to use their own Python or PHP-based utility to send phishing emails to targets, further reducing the need for external tools.
Caffeine currently offers several options for phishing templates, including templates for Microsoft 365 and various honeypots for Chinese and Russian services. Mandiant believes that Caffeine operators will further expand this list in the future.
Phishing template by default for mail.ru
Although Mandiant includes a guide for detecting Caffeine phishing emails with its report, analysts emphasize that the PhaaS confrontation is a “cat and mouse game” and it is likely that criminals will use new methods of evasion, after which the report can be considered outdated.