Phishing as a Service (PaaS) is when Cyber criminals become service providers instead of executing cyber-attacks on their own, they provide phishing services for a fee.
A new and unique Shared Phishing-as-a-Service Platform (PhaaS) called Caffeine is in trending now. Caffeine contains many unique features which make it one of the easiest tools for attackers to leverage cyberattacks. Cyber researchers need to be very proactive on how they can be protected from Caffeine.
Caffeine was first spotted by Mandiant while they tried stealing the credentials of a Microsoft 365 account from one of their clients. The first attack was initially observed in March 2022. Mandiant discovered and tested Caffeine and it is known for its ease of use and low barrier of entry. They also shared how to detect Caffeine in any infrastructure.
In this post, we will discuss what is Caffeine, why it is so special, how to detect Caffeine to take protective measures, and how to be protected from Caffeine in the future as well.
Recently, phishing as a service (PhaaS) has become increasingly popular among cybercriminals. PhaaS providers offer turnkey phishing platforms that make it easy for anyone to launch phishing campaigns. These platforms typically include everything needed to set up and run a campaign, including templates, hosting, and support.
PhaaS offers typical subscription-based payment module to help its subscribers to carry out successful phishing attacks. This business model has made PhaaS an attractive option for cybercriminals, as it reduces the risk and overhead associated with launching attacks.
PhaaS has emerged as a significant threat to organizations of all sizes. According to a recent study, 57% of organizations are targeted weekly or daily by PhaaS-based phishing attacks. And these attacks are becoming more sophisticated and challenging to detect.
Organizations need to be aware of the threat posed by PhaaS and take steps to protect themselves. This includes implementing employee security awareness training and technical controls to prevent phishing emails from reaching inboxes.
Caffeine is a recently discovered (in March 2022) shared PhaaS platform that offers self-service techniques to create customized phishing kits, generate dynamic URLs for hosted payloads, manage redirect pages and destination pages, and even track campaign email activity.
Anyone can register to get the benefit of Caffeine services and its intuitive interface and multiple features benefit the user in arranging and running the phishing campaigns smoothly.
Unlike other PhaaS tools Caffeine is a shared Phaas Platform where any attackers can create a direct account without going through the traditional invite/referral or approval from telegram admin or hacking forums.
Caffeine provides anti-detection and anti-analysis systems and customer support services.
It is subscription based; it is a must requirement to purchase a subscription which ranges from 250$ – 850$ which is slightly on the costlier side.
Caffeine provides better templates for targeting Chinese and Russian platforms unlike traditional PhaaS services which target western services.
Low-skilled cybercriminals are greatly profited by Caffeine because of the ease of use.
The Caffeine Phishing Platform requires numerous components to be correctly configured and campaign-ready, end-to-end implementation. The main components are be:
Core Caffeine account
Licensing
Campaign infrastructure and configuration
Caffeine homepage (Source: Mandiant)
The first step in using Caffeine is setting up a user account like any other modern Software as a Service (SaaS) platform. While not all PhaaS systems operate this way, Caffeine’s website is accessible to everyone with an internet connection (all you need to know is the URL).
Users may sign up for an account on Caffeine without providing personal information or going through external validation methods (like getting recommended by other users) to gain access.
Caffeine Subscription Plans (Source: Mandiant)
Like most contemporary SaaS systems, Caffeine does not offer support for perpetual use licenses and operates only on a subscription basis. In addition, Caffeine provides three distinct service levels by the concept governing the design of current subscription-based software.
It is essential to notice that the Caffeine subscription models skew toward a little more costly base pricing than some other PhaaS platforms; the standard membership for Caffeine is roughly $250 per month.
Caffeine Features (Source: Mandiant)
Users may tailor their credential phishing campaigns to their own needs with the help of the Caffeine platform’s flexible feature set.
These include, but are not limited to, the aforementioned self-service tools for customizing dynamic URL schemas to aid in the dynamic generation of pages with prospective victim information pre-populated for further campaign chicanery, initial redirect pages for campaigns, and ultimate lure pages. It also has numerous options for blocking connections depending on their origin and IP addresses inside CIDR ranges.
Fake login page created by Caffeine (Source: Mandiant)
Caffeine is a feature-rich tool which allow users to pick and choose minute configuration settings for using in their credential phishing campaigns. Some advanced features include
Ability to create customized dynamic URLs to create dynamic pages prepopulated with victim information.
Language-based customization of campaigns
Analysts from Mandiant Managed Defense found malicious actors employing a common Phishing-as-a-Service (PhaaS) platform known as “Caffeine” while investigating phishing activity that targeted clients of Mandiant Managed Defense in the month of March 2022.
This platform offers its criminal customers an easy-to-use interface, reasonable pricing, and a wide variety of capabilities and tools, allowing them to coordinate and automate essential aspects of their phishing campaigns.
These abilities include (but are not limited to) self-service techniques for crafting bespoke phishing kits, managing intermediary redirect sites and final-stage lure pages, dynamically generating URLs for hosting malware payloads, and tracking campaign email activity
Following completing the required configuration steps for the attacker’s primary campaign tooling, the attacker must next deploy their tooling (often referred to as “phishing kits”) to the hosted campaign infrastructure.
After that stage, all they needed was to connect their deployed kits to their primary Caffeine account using a unique licensing token. This may be done at any time. Once this stage is reached, an attacker is prepared to begin phishing.
Phishers use two primary methods to host their harmful information, and they are used in the vast majority of classic phishing attempts. They may employ either hacked or genuine third-party sites and infrastructure to host their content or use purpose-built web infrastructure set up expressly to enable their phishing expeditions.
Caffeine provides an email management application (available in Python and PHP) that an attacker may use to create and send phishing emails after configuring the campaign infrastructure.
Caffeine offers customizable HTML files that may be included in the outgoing email and used in combination with the sender tools. This feature is enabled by default. Webmail phishing lures targeting customers of prominent Russian and Chinese services are one of the available alternatives for attackers to employ for the templates of the phishing emails they send out. Other options are also accessible.
As per the reports shared by Mandiant, credential theft was the reason behind 9% of cyber-attacks. Mandiant detected Caffeine initially in March 2022. The attack flow as per the research conducted by Mandiant team is as follow:
Managed Defense observed an email sent with malicious URL to a European architectural consulting firm.
As per the phishing email the domain contained in it was eduardorodiguez9584[.]ongraphy[.]com (134.209.156[.]27) , this domain was analyzed
Domain eduardorodiguez9584[.]ongraphy[.]com redirected to second stage URL oculisticaspizzirri[.]it/fill/ (domain resolution at time of analysis 134.209.156[.]27).
This URL lead to a portion of the legitimate website for the medical practice of an Italian ophthalmologist (parent domain oculisticaspizzirri[.]it) which was compromised at that point.
Mandiant do not have a clear insight on what was the initial Intrusion vector however it is suspected that the attacker might have leveraged the WordPress vulnerabilities
The below given steps will help you know how to detect Caffeine– a shared Phishing-as-a-Service Platform.
Check your Inbox_ Check your inbox first for any messages that are unexpected or that look suspicious. It’s possible that they were sent from unknown senders or contain links to websites that are new to you. Do not open any attachments or click on any links if you find anything that looks suspicious.
Check your Web Browser_ Your next step is to check your web browser’s history to see if any entries are out of the ordinary. Caffeine may have infected your computer if you start seeing unfamiliar URLs or pop-up windows after visiting questionable websites
Check for Malware_ You should check for malware on your computer to determine whether or not any harmful files are currently stored there. If you discover anything, get rid of it as soon as possible.
Following are the detection techniques that Mandiant suggests for Caffeine detection:
This collection of rules is meant to be used as a jumping-off point for hunting efforts to detect phishing infrastructure and activity, but they may need to be modified over time as the threat changes. To make the most of these discoveries, you should apply the Yara rules to local copies of the files that make up your live website.
These rules are not supposed to be used for real-time monitoring and to inform blocking rules without being validated by an organization’s internal testing processes for ensuring efficient performance and limiting the risks of false positives. To get the details for platform information and relevant YARA rules visit Mandiant post on detecting Caffeine.
The following domains are essential parts of the architecture of Caffeine’s phishing kits that have been deployed. If you want to make the most of these detections, you should search for unusual network traffic to a group of these sites within the weblogs or in the network traffic that occurs for several minutes.
Caffeines[.]space
Caffeinefiles[.]click
ip-api[.]io
Caffeines[.]store
telegram[.]org
IoCs Captured by Mandiant
Domains/URLs
Domain/URL | IP Address Resolution | Contextual Notes |
Caffeinefiles[.]click | 104.21.6[.]210 | An active hosting location for Caffeine platform files. Currently behind Cloudflare. |
Caffeines[.]space | 185.163.46[.]131 | An inactive hosting location for Caffeine platform files. |
Caffeines[.]store | 104.26.7[.]11 | The main Caffeine store domain. Currently behind Cloudflare. |
ip-api[.]io | 192.99.71[.]107 | This is a seemingly legitimate service Caffeine uses for IP address geolocation. On its own it is not inherently malicious, but when activity for this domain appears alongside other Caffeine indicators, it provides immense contextual value. |
telegram[.]org | 149.154.167[.]99 | A legitimate encrypted messaging service used heavily by Caffeine. |
This Table Is Created in Evernote By the Author
YARA Rules
rule M_Hunting_JS_Caffeine_Redirect_1
{
meta:
author = "adrian.mccabe"
md5 = "60cae932b80378110d74fe447fa518d6"
date_created = "2022-09-22"
rev = "1"
context = “Searches for string artifacts on Caffeine Javascript redirect pages. Intentionally wide.”
strings:
$cf1 = "Don't Play Here Kid" ascii wide
$cf2 = "mrxc0der" ascii wide
condition:
all of them
}
```
rule M_Hunting_PHP_Caffeine_Toolmarks_1
{
meta:
author = "adrian.mccabe"
md5 = " ce9a17f9aec9bd2d9eca70f82e5e048b"
date_created = "2022-09-22"
rev = "1"
context = “Searches for generic Caffeine obfuscation toolmark strings. Intentionally wide.”
strings:
$attacker_brand = " - WWW.CAFFEINES.STORE" ascii wide
$obfuscation_tagline = "CODED By MRxC0DER" ascii wide
condition:
all of them
}
```
rule M_Hunting_PHP_Caffeine_Obfuscation_1
{
meta:
author = "adrian.mccabe"
md5 = "ce9a17f9aec9bd2d9eca70f82e5e048b"
date_created = "2022-09-22"
rev = "1"
context = “Searches for obfuscated PHP scripts.”
strings:
$f1 = {3C 3F 70 68 70 }
$a1 = "__FILE__));" ascii wide
$a2 = "=NULL;@eval" ascii wide
$a3 = "))));unset" ascii wide
condition:
uint16(0) == 0x3F3C and
all of them
}
rule M_Hunting_JSON_Caffeine_Config_1
{
meta:
author = "adrian.mccabe"
md5 = "684b524cef81a9ef802ed3422700ab69"
date_created = "2022-09-22"
rev = "1"
context = “Searches for default Caffeine configuration syntax. Intentionally wide.”
strings:
$cf1 = "token" ascii wide
$cf2 = "ip-api.io" ascii wide
$cf3 = "ff57341d-6fb8-4bdb-a6b9-a49f94cbf239" ascii wide
$cf4 = "send_to_telegram" ascii wide
$cf5 = "telegram_user_id" ascii wide
condition:
all of them
}
rule M_Hunting_ICO_Caffeine_Favicon_1
{
meta:
author = "adrian.mccabe"
md5 = "12e3dac858061d088023b2bd48e2fa96"
date_created = "2022-09-22"
rev = "1"
context = “Searches for legitimate Microsoft favicon used by Caffeine. VALIDATION REQUIRED.”
strings:
$a1 = { 01 00 06 00 80 }
$a2 = "fffffff" ascii wide
$a3 = "3333333" ascii wide
$a4 = "DDDDDDDDDDDUUUUUUUUUUUP" ascii wide
$a5 = "UUUPDDD@" ascii wide
condition:
uint16(1) == 0x0100 and
all of them
}
There are a few things you can take to keep yourself from falling prey to phishing if you are concerned about being a victim of the practice. Caffeine is a shared phishing-as-a-service platform. Thus, one must be aware of the potential risks associated with it.
Caffeine is a tool that can be used for social engineering and gives anybody the ability to design and share phishing campaigns. This method has launched attacks against firms such as Google, Facebook, and Netflix. And people are adopting it at an ever-increasing rate.
If you’ve been searching for how to be protected from Caffeine in the first place, below are some steps that can help.
Be conscious of the potential risks: Be aware that phishing attacks involving Caffeine exist and are being launched using it.
Do not open random links or attachments: Exercise extreme caution in opening attachments or clicking on links sent by unknown senders. If you get an email and are unsure as to its legitimacy, you should always err on the side of caution and refrain from clicking on anything it contains.
Use the most recent version of Antivirus and Anti-malware software: This will protect you from any potentially harmful attachments or links sent in your direction.
Two-factor Authentication: Whenever feasible, enable two-factor authentication, often known as 2FA. This protects your accounts and might help ward off phishing scams.
Notify the relevant department: Notify your IT department or security team about any questionable emails or efforts to phish you may have received. You may aid in the prevention of others being victims of the same incident by acting in this manner.
Phishing is already a significant issue and will only likely become more widespread. You may, however, assist protect yourself and your business from becoming victims of these assaults by following a few elementary safeguards.
Now that you know what PhaaS is and how it works, and how to be protected from Caffeine, be sure to take these steps to protect yourself from becoming a victim of this type of attack. First, be sure only to visit websites that you trust. If unsure about a website, do not enter personal information or click on any links.
Second, never provide personal information or login credentials in response to an email or pop-up window. These are standard methods used by phishers to collect victims’ information. Finally, keep your antivirus and anti-malware software up to date to help prevent your computer from becoming infected with malware that could be used to launch a PhaaS attack.
We hope this post would help you learn about Caffeine, a shared Phishing-as-a-Service platform, why it is so special, how to detect Caffeine to take protective measures and how to be protected from Caffeine in future as well.. Thanks for reading this post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.