Cybercriminals are using a previously undocumented phishing-as-a-service (PhaaS) toolkit called Caffeine to effectively scale up their attacks and distribute nefarious payloads.
“This platform has an intuitive interface and comes at a relatively low cost while providing a multitude of features and tools to its criminal clients to orchestrate and automate core elements of their phishing campaigns,” Mandiant said in a new report.
Some of the core features offered by the platform comprise the ability to craft customized phishing kits, manage redirect pages, dynamically generate URLs that host the payloads, and track the success of the campaigns.
The development comes a little over a month after Resecurity took the wraps off another PhaaS service dubbed EvilProxy that’s offered for sale on dark web criminal forums.
But unlike EvilProxy, whose operators are known to vet prospective customers before activating the subscriptions, Caffeine is notable for running an open registration process, effectively enabling anyone with an email address to sign up for the service.
This restriction-free approach not only obviates the need for approaching the actors on underground forums or requiring a referral from an existing user but also allows Caffeine to rapidly expand its clientele and lower the barrier to entry.
Making it further stand apart from the rest, the PhaaS toolkit is noteworthy for offering phishing email templates for use against Chinese and Russian targets.
PhaaS services typically entail an operator to develop and deploy a significant chunk of the phishing campaigns, right from fake sign-in pages, website hosting, site templates, and credential theft.
The evolution of email-based phishing threats into a service-based economy means that adversaries who aim to conduct phishing attacks can now simply purchase such resources and infrastructure without having to work on it themselves. Caffeine is no exception.
It requires users to create an account, and buy a subscription that costs $250 a month (Basic), $450 for three months (Professional), or $850 for a six-month license (Enterprise) to avail of its wide range of services, including the campaign management dashboard and the tools to configure the attacks.
The ultimate goal of the phishing campaign is to facilitate the theft of Microsoft 365 credentials through rogue sign-in pages hosted on legitimate WordPress sites, indicating that the Caffeine actors are leveraging compromised admin accounts, misconfigured websites, or flaws in web infrastructure platforms to deploy the kits.
While the login pages are currently limited to Microsoft 365 credential harvesting lures, the Google-owned threat intelligence firm noted that additional login page formats could be introduced in the future as per customer demands.
“It is also important to keep in mind that defensive measures against PhaaS attacks can be a game of cat and mouse,” Mandiant said. “As quickly as threat actor infrastructure gets taken down, new infrastructure can be spun up.”