The article dives deep into the recent investigation of the Phishing-as-a-Service (PhaaS) platform called “Caffeine, ” which was noticed by Mandiant detectives, and the new findings related to it.
The recent announcement about the phishing-as-a-service (PhaaS) platform termed ‘Caffeine’ has become the topic of discussion. It is being termed as the most convenient platform for threat actors to launch attacks via an open registration process, allowing anyone to enter and begin their phishing campaigns. Mandiants‘ detailed analysis also focused on the technical configurations that are currently available to Caffeine’s fishermen, allowing them to evade detection.
Let us take a look at the basics of the investigations that led to the identification of the Phishing attack via ‘Caffeine’, the extent of Caffeine’s low-barrier entry into the PhaaS platform market, the platform’s core capabilities and the key findings found by Mandiant.
What Actually Happened?
In March 2022, Mandiant’s defense analysts discovered malicious actors using a shared Phishing-as-a-Service (PhaaS) platform called “Caffeine” while investigating phishing activity targeting their Managed Defense customers.
Managed Defense uncovered a suspicious URL in an email sent to a European architectural consulting firm in March. While the email’s contents were not fully recovered, domain data contained within the phishing email,
Over the complete process of analysis into the Caffeine platform, Managed Defense also observed that there were some newer versions of the error page that had placed support contact information for an encrypted messaging service in place of the support ticket URL portion.
Findings about ‘Caffeine’
Caffeine is claimed to be quite unique, has an easy-to-use interface, and is reasonably priced while offering its criminal clients many features and tools to automate their phishing campaigns.
Caffeine is being called an easy medium for threat actors to attempt their attacks. This allegation is based on the following facts:
1. Open Registration Process: Caffein’s PhaaS service allows anyone to launch Microsoft 365 Phishing attempts due to its open and simple registration process. Instead of working through restricted communication channels such as referrals from existing users, underground forums, or encrypted messaging services, anyone with an email address can sign up for their services.
2. Expensive as Compared to other PhaaS Platforms: Caffeine does not support perpetual license and is entirely subscription-based. Caffeine is a modern subscription-based software design that offers three different levels of service and is more expensive than other PhaaS platforms. For example, its base subscription costs about $250 per month.
3. Campaign Infrastructure and Configuration: Most of the Caffeine platform’s feature set allows users to select granular configuration settings for use in their credential phishing campaigns. It includes but is not limited to self-service mechanisms for customizing dynamic URL schemas to aid in dynamically forging pages with potential victim information pre-populated for additional campaign deception.
4. Easy Accessibility: Caffeine has been thoroughly tested by Mandiant analysts, who report that it is easily accessible to cybercriminals due to a low barrier to entry.
5. Targets Russian and Chinese Platforms: In contrast to other PHaas platforms that frequently launch phishing attacks against Western services, Caffeine is said to have ring fenced email phishing templates that target Russian and Chinese platforms.
How does Caffeine act as the Kickstart for Phishing campaigns?
Caffeine has a simple and efficient approach for attackers.
1. Account Creation: The first step is account creation, after which the operator gains immediate access to the “Store,” which contains phishing campaign creation tools and an overview dashboard.
2. Choosing Subscription License: Next, depending on the features, the operators must purchase a subscription license, which can be chosen from three categories depending upon the months. It offers $250 per month, $450 for three months, or $850 for six months.
When compared to typical PhaaS subscription companies, the fee is quite high. However, Caffeine justifies its expensive infrastructure by providing anti-detection and anti-analysis systems and customer support services.
3. Deployment of Phishing Kit: Following the establishment of the primary phishing campaign parameters, operators must deploy the phishing kit. Caffeine currently provides several phishing template options, including Microsoft 365 and various lures for Chinese and Russian platforms.
In most traditional phishing campaigns, phishers use two main mechanisms to host their malicious content. However, in the case of Caffeine, the attacker must also ensure that their kits are configured to use a user-specific license token. This connects their deployed kits to their primary Caffeine user account, allowing them to fully utilize the Caffeine platform (and its respective administrative dashboards) to handle campaign operations.
Way to Detect Caffein’s Phishing Activity
Now that Mandiant has provided detection guidelines for catching Caffeine-backed phishing emails, analysts still warn that the cyber attackers may discover new evasion techniques for synch automated platforms.
Whatever the platform may be, it has become a dire need to protect against ever-rising Phishing attempts. If not dealt with in time, they can probably
Here are the few directions given by Mandiant:
1. Caffeine Detection on the Endpoint
This particular set of rules does not work in the long run because adjustments must be made as we progress. It serves as the starting point for investigations into phishing infrastructure and activity.
2. Caffeine Detection on the Wire
Caffeine’s architecture for deployed phishing kits includes the following domains as core components. To make the most of these detections, Mandiant suggests looking for anomalous network traffic to a cluster of these domains in weblogs or network traffic over a period of several minutes.
(Image Source: Mandiant)
Additional Guidelines for Organizations to Reduce the Impact of Phishing Attacks
Apart from these, there are some additional generalized guidelines that an organization can follow to reduce the impact and the incidence of Phishing attacks:
1. Regular Evaluation: Review known-good versions of any publicly accessible web infrastructure and files. Regular evaluation and software updations help keep systems safe from attacks and cybercrimes that keep coming up on an everyday basis.
2. Adopt Behavioral Analytics: Analyzing weblogs based on behavioral analytics to include URL structure, form submission, and redirection. It helps keep a check on the activities of adversaries.
3. Regular Security Checks: Review security policies for passwords and credential resets on a regular basis. Passwords should be frequently changed.
4. Use Two-Factor Authentication: Enforcing two-factor authentication on all externally accessed enterprise accounts. Two-factor Authentication is the quickest and safest way to prevent phishing attempts and attacks.
A successful cyber-attack can be expensive to recover from, and some organizations may not recover at all. Phishing attacks are becoming more common because they are easy to set up, lucrative, and pose little risk to cybercriminals.
It could be as simple as hosting a malicious website or file or sending spoofed emails to victims. To protect against data loss, theft, or business reputation, advanced security solutions and policies that will block phishing attempts and protect your business from the consequences are recommended.
Just like many of the phishing attacks that are discovered on an everyday basis, Caffeine is yet another addition to the easy choice of cyber attackers. However, as a responsible authority, we must keep our security set-ups up-to-date for protection from phishing by advertisers who keep on finding new ways to remain undetected.