• Home
  • |
  • Blog
  • |
  • How to be Protected From Caffeine, A Shared Phishing-as-a-Service Platform (PhaaS)
How to be Protected From Caffeine, A Shared Phishing-as-a-Service Platform (PhaaS)

Phishing as a Service (PaaS) is when Cyber criminals become service providers instead of executing cyber-attacks on their own, they provide phishing services for a fee.

A new and unique Shared Phishing-as-a-Service Platform (PhaaS) called Caffeine is in trending now. Caffeine contains many unique features which make it one of the easiest tools for attackers to leverage cyberattacks. Cyber researchers need to be very proactive on how they can be protected from Caffeine.

Caffeine was first spotted by Mandiant while they tried stealing credentials of Microsoft 365 account from one of their clients. The first attack was initially observed in March 2022. Mandiant discovered and tested Caffeine and it is known for the ease of use and low barrier of entry. They also shared on how to detect Caffeine in any infrastructure.

In this post we will discuss on what is Caffeine, why it is so special, how to detect Caffeine to take protective measures and how to be protected from Caffeine in future as well.

What is Phishing as a Service?

Recently, phishing as a service (PhaaS) has become increasingly popular among cybercriminals. PhaaS providers offer turnkey phishing platforms that make it easy for anyone to launch phishing campaigns. These platforms typically include everything needed to set up and run a campaign, including templates, hosting, and support.

 PhaaS offers typical subscription based payment module to helps its subscribers to carry out successful phishing attacks. This business model has made PhaaS an attractive option for cybercriminals, as it reduces the risk and overhead associated with launching attacks.

 PhaaS has emerged as a significant threat to organizations of all sizes. According to a recent study, 57% of organizations are targeted weekly or daily by PhaaS-based phishing attacks. And these attacks are becoming more sophisticated and challenging to detect.

 Organizations need to be aware of the threat posed by PhaaS and take steps to protect themselves. This includes implementing employee security awareness training and technical controls to prevent phishing emails from reaching inboxes.

An Introduction About Caffeine

Caffeine is a recently discovered (in March, 2022) a shared PhaaS platform that offers the self-service techniques to create customized phishing kits, generate dynamic URLs for hosted payloads, manage redirect pages and destination pages, and even track campaign email activity. 

Anyone can register to get benefit of Caffeine services and its intuitive interface and multiple features benefit the user in arranging and running the phishing campaigns smoothly.

What makes Caffeine special?

  • Unlike other PhaaS tools Caffeine is a shared Phaas Platform where any attackers can create a direct account without going through the traditional invite/referral or approval from telegram admin or hacking forums.
  • Caffeine provides anti-detection and anti-analysis systems and customer support services.
  • It is subscription based; it is a must requirement to purchase a subscription which ranges from 250$ – 850$ which is slightly on the costlier side.
  • Caffeine provides better templates for targeting Chinese and Russian platforms unlike traditional PhaaS services which target western services.
  • Low-skilled cybercriminals are greatly profited by Caffeine because of the ease of use.

Major Components of Caffeine

The Caffeine Phishing Platform requires numerous components to be correctly configured and campaign-ready, end-to-end implementation. The main components are be: 

  • Core Caffeine account
  • Licensing
  • Campaign infrastructure and configuration

The Core Account for Caffeine

Caffeine homepage (Source: Mandiant)

The first step in using Caffeine is setting up a user account like any other modern Software as a Service (SaaS) platform.  While not all PhaaS systems operate this way, Caffeine’s website is accessible to everyone with an internet connection (all you need to know is the URL).

Users may sign up for an account on Caffeine without providing personal information or going through external validation methods (like getting recommended by other users) to gain access.

Licensing

Caffeine Subscription Plans  (Source: Mandiant)

Like most contemporary SaaS systems, Caffeine does not offer support for perpetual use licenses and operates only on a subscription basis. In addition, Caffeine provides three distinct service levels by the concept governing the design of current subscription-based software.

It is essential to notice that the Caffeine subscription models skew toward a little more costly base pricing than some other PhaaS platforms; the standard membership for Caffeine is roughly $250 per month.

Infrastructure of the campaign and configuration

Caffeine  Features  (Source: Mandiant)

Users may tailor their credential phishing campaigns to their own needs with the help of the Caffeine platform’s flexible feature set.

These include, but are not limited to, the aforementioned self-service tools for customizing dynamic URL schemas to aid in the dynamic generation of pages with prospective victim information pre-populated for further campaign chicanery, initial redirect pages for campaigns, and ultimate lure pages. It also has numerous options for blocking connections depending on their origin and IP addresses inside CIDR ranges. 

Fake login page created by Caffeine (Source: Mandiant)

Caffeine is a feature-rich tool which allow users to pick and choose minute configuration settings for using in their credential phishing campaigns. Some advanced features include

  • Ability to create customized dynamic URL to create dynamic pages prepopulated with victim information.
  • Language based customization of campaigns

What Services does Caffeine Offer to its Clients?

Analysts from Mandiant Managed Defense found malicious actors employing a common Phishing-as-a-Service (PhaaS) platform known as “Caffeine” while investigating phishing activity that targeted clients of Mandiant Managed Defense in the month of March 2022.

This platform offers its criminal customers an easy-to-use interface, reasonable pricing, and a wide variety of capabilities and tools, allowing them to coordinate and automate essential aspects of their phishing campaigns.

These abilities include (but are not limited to) self-service techniques for crafting bespoke phishing kits, managing intermediary redirect sites and final-stage lure pages, dynamically generating URLs for hosting malware payloads, and tracking campaign email activity

How Does Caffeine Operate Its Phishing Campaign?

Following completing the required configuration steps for the attacker’s primary campaign tooling, the attacker must next deploy their tooling (often referred to as “phishing kits”) to the hosted campaign infrastructure.

After that stage, all they needed was to connect their deployed kits to their primary Caffeine account using a unique licensing token. This may be done at any time. Once this stage is reached, an attacker is prepared to begin phishing.

Phishing with Caffeine: Setting the Trap 

Phishers use two primary methods to host their harmful information, and they are used in the vast majority of classic phishing attempts. They may employ either hacked or genuine third-party sites and infrastructure to host their content or use purpose-built web infrastructure set up expressly to enable their phishing expeditions.

Dispatching the Phishing

Caffeine provides an email management application (available in Python and PHP) that an attacker may use to create and send phishing emails after configuring the campaign infrastructure.

Caffeine offers customizable HTML files that may be included in the outgoing email and used in combination with the sender tools. This feature is enabled by default. Webmail phishing lures targeting customers of prominent Russian, and Chinese services are one of the available alternatives for attackers to employ for the templates of the phishing emails they send out. Other options are also accessible.

Case Study from Mandiant

As per the reports shared by Mandiant credential theft was the reason behind 9% of cyber-attacks. Mandiant detected Caffeine initially in March 2022. The attack flow as per the research conducted by Mandiant team is as follow:

  • Managed Defense observed an email sent with malicious URL to a European architectural consulting firm.
  • As per the phishing email the domain contained in it was eduardorodiguez9584[.]ongraphy[.]com (134.209.156[.]27) , this domain was analyzed
  • Domain eduardorodiguez9584[.]ongraphy[.]com redirected to second stage URL oculisticaspizzirri[.]it/fill/ (domain resolution at time of analysis 134.209.156[.]27).
  • This URL lead to a portion of the legitimate website for the medical practice of an Italian ophthalmologist (parent domain oculisticaspizzirri[.]it) which was compromised at that point.

Mandiant do not have a clear insight on what was the initial Intrusion vector however it is suspected that the attacker might have leveraged the WordPress vulnerabilities

How to Detect Caffeine A Shared Phishing-as-a-Service Platform?

The below given steps will help you know how to detect Caffeine– a shared Phishing-as-a-Service Platform.

  • Check your Inbox_ Check your inbox first for any messages that are unexpected or that look suspicious. It’s possible that they were sent from unknown senders or contain links to websites that are new to you. Do not open any attachments or click on any links if you find anything that looks suspicious.
  • Check your Web Browser_ Your next step is to check your web browser’s history to see if any entries are out of the ordinary. Caffeine may have infected your computer if you start seeing unfamiliar URLs or pop-up windows after visiting questionable websites
  • Check for Malware_ You should check for malware on your computer to determine whether or not any harmful files are currently stored there. If you discover anything, get rid of it as soon as possible.

Following are the detection techniques that Mandiant suggests for Caffeine detection:

1. Endpoint Detection 

This collection of rules is meant to be used as a jumping-off point for hunting efforts to detect phishing infrastructure and activity, but they may need to be modified over time as the threat changes. To make the most of these discoveries, you should apply the Yara rules to local copies of the files that make up your live website. 

These rules are not supposed to be used for real-time monitoring and to inform blocking rules without being validated by an organization’s internal testing processes for ensuring efficient performance and limiting the risks of false positives. To get the details for platform information and relevant YARA rules visit Mandiant post on detecting Caffeine. 

2. Wire Detection 

The following domains are essential parts of the architecture of Caffeine’s phishing kits that have been deployed. If you want to make the most of these detections, you should search for unusual network traffic to a group of these sites within the weblogs or in the network traffic that occurs for several minutes.

  1. Caffeines[.]space
  2. Caffeinefiles[.]click
  3. ip-api[.]io
  4. Caffeines[.]store
  5. telegram[.]org

IoCs Captured by Mandiant

Domains/URLs

Domain/URLIP Address ResolutionContextual Notes
Caffeinefiles[.]click104.21.6[.]210An active hosting location for Caffeine platform files. Currently behind Cloudflare.
Caffeines[.]space185.163.46[.]131An inactive hosting location for Caffeine platform files.
Caffeines[.]store104.26.7[.]11The main Caffeine store domain. Currently behind Cloudflare.
ip-api[.]io192.99.71[.]107This is a seemingly legitimate service Caffeine uses for IP address geolocation. On its own it is not inherently malicious, but when activity for this domain appears alongside other Caffeine indicators, it provides immense contextual value.
telegram[.]org149.154.167[.]99A legitimate encrypted messaging service used heavily by Caffeine.
This Table Is Created in Evernote By the Author

YARA Rules

rule M_Hunting_JS_Caffeine_Redirect_1 
{ 
    meta: 
        author = "adrian.mccabe" 
        md5 = "60cae932b80378110d74fe447fa518d6" 
        date_created = "2022-09-22" 
        rev = "1" 
        context = “Searches for string artifacts on Caffeine Javascript redirect pages. Intentionally wide.” 
    strings: 
        $cf1 = "Don't Play Here Kid" ascii wide 
        $cf2 = "mrxc0der" ascii wide 
    condition: 
        all of them 
}
```
rule M_Hunting_PHP_Caffeine_Toolmarks_1 
{ 
    meta: 
        author = "adrian.mccabe" 
        md5 = " ce9a17f9aec9bd2d9eca70f82e5e048b" 
        date_created = "2022-09-22" 
        rev = "1" 
        context = “Searches for generic Caffeine obfuscation toolmark strings. Intentionally wide.” 
    strings: 
        $attacker_brand = " - WWW.CAFFEINES.STORE" ascii wide 
        $obfuscation_tagline = "CODED By MRxC0DER" ascii wide 
    condition: 
        all of them 
}
```
rule M_Hunting_PHP_Caffeine_Obfuscation_1 
{ 
    meta: 
        author = "adrian.mccabe" 
        md5 = "ce9a17f9aec9bd2d9eca70f82e5e048b" 
        date_created = "2022-09-22" 
        rev = "1" 
        context = “Searches for obfuscated PHP scripts.” 
    strings: 
        $f1 = {3C 3F 70 68 70 } 
        $a1 = "__FILE__));" ascii wide 
        $a2 = "=NULL;@eval" ascii wide 
        $a3 = "))));unset" ascii wide 
    condition: 
        uint16(0) == 0x3F3C and 
            all of them 
}
rule M_Hunting_JSON_Caffeine_Config_1 
{ 
    meta: 
        author = "adrian.mccabe" 
        md5 = "684b524cef81a9ef802ed3422700ab69" 
        date_created = "2022-09-22" 
        rev = "1" 
        context = “Searches for default Caffeine configuration syntax. Intentionally wide.” 
    strings: 
        $cf1 = "token" ascii wide 
        $cf2 = "ip-api.io" ascii wide 
        $cf3 = "ff57341d-6fb8-4bdb-a6b9-a49f94cbf239" ascii wide 
        $cf4 = "send_to_telegram" ascii wide 
        $cf5 = "telegram_user_id" ascii wide 
    condition: 
        all of them 
}
rule M_Hunting_ICO_Caffeine_Favicon_1 
{ 
    meta: 
        author = "adrian.mccabe" 
        md5 = "12e3dac858061d088023b2bd48e2fa96" 
        date_created = "2022-09-22" 
        rev = "1" 
        context = “Searches for legitimate Microsoft favicon used by Caffeine. VALIDATION REQUIRED.” 
    strings: 
        $a1 = { 01 00 06 00 80 } 
        $a2 = "fffffff" ascii wide 
        $a3 = "3333333" ascii wide 
        $a4 = "DDDDDDDDDDDUUUUUUUUUUUP" ascii wide 
        $a5 = "[email protected]" ascii wide 
    condition: 
        uint16(1) == 0x0100 and 
            all of them 
}

How to be Protected From Caffeine, A Shared Phishing-as-a-Service Platform?

There are a few things you can take to keep yourself from falling prey to phishing if you are concerned about being a victim of the practice. Caffeine is a shared phishing-as-a-service platform. Thus, one must be aware of the potential risks associated with it.

Caffeine is a tool that can be used for social engineering and gives anybody the ability to design and share phishing campaigns. This method has launched attacks against firms such as Google, Facebook, and Netflix. And people are adopting it at an ever-increasing rate.

If you’ve been searching for how to be protected from Caffeine in the first place, below are some steps that can help.

  1. Be conscious of the potential risks: Be aware that phishing attacks involving Caffeine exist and are being launched using it.
  2. Do not open random links or attachments: Exercise extreme caution in opening attachments or clicking on links sent by unknown senders. If you get an email and are unsure as to its legitimacy, you should always err on the side of caution and refrain from clicking on anything it contains.
  3. Use the most recent version of Antivirus and Anti-malware software: This will protect you from any potentially harmful attachments or links sent in your direction.
  4. Two-factor Authentication: Whenever feasible, enable two-factor authentication, often known as 2FA. This protects your accounts and might help ward off phishing scams.
  5. Notify the relevant department: Notify your IT department or security team about any questionable emails or efforts to phish you may have received. You may aid in the prevention of others being victims of the same incident by acting in this manner.

Phishing is already a significant issue and will only likely become more widespread. You may, however, assist protect yourself and your business from becoming victims of these assaults by following a few elementary safeguards.

Wrap Up

Now that you know what PhaaS is and how it works, and how to be protected from Caffeine, be sure to take these steps to protect yourself from becoming a victim of this type of attack. First, be sure only to visit websites that you trust. If unsure about a website, do not enter personal information or click on any links.

Second, never provide personal information or login credentials in response to an email or pop-up window. These are standard methods used by phishers to collect victims’ information. Finally, keep your antivirus and anti-malware software up to date to help prevent your computer from becoming infected with malware that could be used to launch a PhaaS attack.

We hope this post will help you learn about Caffeine, a shared Phishing-as-a-Service platform, why it is so special, how to detect Caffeine to take protective measures and how to be protected from Caffeine in future as well.. Thanks for reading this post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.  

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.