How to be Protected From Caffeine, a Shared Phishing-as-a-Service Platform (PhaaS)

Phishing as a Service (PaaS) is when Cyber criminals become service providers instead of executing cyber-attacks on their own, they provide phishing services for a fee.

A new and unique Shared Phishing-as-a-Service Platform (PhaaS) called Caffeine is in trending now. Caffeine contains many unique features which make it one of the easiest tools for attackers to leverage cyberattacks. Cyber researchers need to be very proactive on how they can be protected from Caffeine.

Caffeine was first spotted by Mandiant while they tried stealing the credentials of a Microsoft 365 account from one of their clients. The first attack was initially observed in March 2022. Mandiant discovered and tested Caffeine and it is known for its ease of use and low barrier of entry. They also shared how to detect Caffeine in any infrastructure.

In this post, we will discuss what is Caffeine, why it is so special, how to detect Caffeine to take protective measures, and how to be protected from Caffeine in the future as well.

What is Phishing as a Service?

Recently, phishing as a service (PhaaS) has become increasingly popular among cybercriminals. PhaaS providers offer turnkey phishing platforms that make it easy for anyone to launch phishing campaigns. These platforms typically include everything needed to set up and run a campaign, including templates, hosting, and support.

PhaaS offers typical subscription-based payment module to help its subscribers to carry out successful phishing attacks. This business model has made PhaaS an attractive option for cybercriminals, as it reduces the risk and overhead associated with launching attacks.

PhaaS has emerged as a significant threat to organizations of all sizes. According to a recent study, 57% of organizations are targeted weekly or daily by PhaaS-based phishing attacks. And these attacks are becoming more sophisticated and challenging to detect.

Organizations need to be aware of the threat posed by PhaaS and take steps to protect themselves. This includes implementing employee security awareness training and technical controls to prevent phishing emails from reaching inboxes.

An Introduction About Caffeine

Caffeine is a recently discovered (in March 2022) shared PhaaS platform that offers self-service techniques to create customized phishing kits, generate dynamic URLs for hosted payloads, manage redirect pages and destination pages, and even track campaign email activity.

Anyone can register to get the benefit of Caffeine services and its intuitive interface and multiple features benefit the user in arranging and running the phishing campaigns smoothly.

What makes Caffeine special?

Major Components of Caffeine

The Caffeine Phishing Platform requires numerous components to be correctly configured and campaign-ready, end-to-end implementation. The main components are be:

The Core Account for Caffeine

Caffeine homepage (Source: Mandiant)

The first step in using Caffeine is setting up a user account like any other modern Software as a Service (SaaS) platform.  While not all PhaaS systems operate this way, Caffeine’s website is accessible to everyone with an internet connection (all you need to know is the URL).

Users may sign up for an account on Caffeine without providing personal information or going through external validation methods (like getting recommended by other users) to gain access.

Licensing

Caffeine Subscription Plans  (Source: Mandiant)

Like most contemporary SaaS systems, Caffeine does not offer support for perpetual use licenses and operates only on a subscription basis. In addition, Caffeine provides three distinct service levels by the concept governing the design of current subscription-based software.

It is essential to notice that the Caffeine subscription models skew toward a little more costly base pricing than some other PhaaS platforms; the standard membership for Caffeine is roughly $250 per month.

Infrastructure of the campaign and configuration

Caffeine  Features  (Source: Mandiant)

Users may tailor their credential phishing campaigns to their own needs with the help of the Caffeine platform’s flexible feature set.

These include, but are not limited to, the aforementioned self-service tools for customizing dynamic URL schemas to aid in the dynamic generation of pages with prospective victim information pre-populated for further campaign chicanery, initial redirect pages for campaigns, and ultimate lure pages. It also has numerous options for blocking connections depending on their origin and IP addresses inside CIDR ranges. 

Fake login page created by Caffeine (Source: Mandiant)

Caffeine is a feature-rich tool which allow users to pick and choose minute configuration settings for using in their credential phishing campaigns. Some advanced features include

What Services does Caffeine Offer to its Clients?

Analysts from Mandiant Managed Defense found malicious actors employing a common Phishing-as-a-Service (PhaaS) platform known as “Caffeine” while investigating phishing activity that targeted clients of Mandiant Managed Defense in the month of March 2022.

This platform offers its criminal customers an easy-to-use interface, reasonable pricing, and a wide variety of capabilities and tools, allowing them to coordinate and automate essential aspects of their phishing campaigns.

These abilities include (but are not limited to) self-service techniques for crafting bespoke phishing kits, managing intermediary redirect sites and final-stage lure pages, dynamically generating URLs for hosting malware payloads, and tracking campaign email activity

How Does Caffeine Operate Its Phishing Campaign?

Following completing the required configuration steps for the attacker’s primary campaign tooling, the attacker must next deploy their tooling (often referred to as “phishing kits”) to the hosted campaign infrastructure.

After that stage, all they needed was to connect their deployed kits to their primary Caffeine account using a unique licensing token. This may be done at any time. Once this stage is reached, an attacker is prepared to begin phishing.

Phishing with Caffeine: Setting the Trap

Phishers use two primary methods to host their harmful information, and they are used in the vast majority of classic phishing attempts. They may employ either hacked or genuine third-party sites and infrastructure to host their content or use purpose-built web infrastructure set up expressly to enable their phishing expeditions.

Dispatching the Phishing

Caffeine provides an email management application (available in Python and PHP) that an attacker may use to create and send phishing emails after configuring the campaign infrastructure.

Caffeine offers customizable HTML files that may be included in the outgoing email and used in combination with the sender tools. This feature is enabled by default. Webmail phishing lures targeting customers of prominent Russian and Chinese services are one of the available alternatives for attackers to employ for the templates of the phishing emails they send out. Other options are also accessible.

Case Study from Mandiant

As per the reports shared by Mandiant, credential theft was the reason behind 9% of cyber-attacks. Mandiant detected Caffeine initially in March 2022. The attack flow as per the research conducted by Mandiant team is as follow:

Mandiant do not have a clear insight on what was the initial Intrusion vector however it is suspected that the attacker might have leveraged the WordPress vulnerabilities

How to Detect Caffeine a Shared Phishing-as-a-Service Platform?

The below given steps will help you know how to detect Caffeine– a shared Phishing-as-a-Service Platform.

Following are the detection techniques that Mandiant suggests for Caffeine detection:

1. Endpoint Detection

This collection of rules is meant to be used as a jumping-off point for hunting efforts to detect phishing infrastructure and activity, but they may need to be modified over time as the threat changes. To make the most of these discoveries, you should apply the Yara rules to local copies of the files that make up your live website. 

These rules are not supposed to be used for real-time monitoring and to inform blocking rules without being validated by an organization’s internal testing processes for ensuring efficient performance and limiting the risks of false positives. To get the details for platform information and relevant YARA rules visit Mandiant post on detecting Caffeine. 

2. Wire Detection

The following domains are essential parts of the architecture of Caffeine’s phishing kits that have been deployed. If you want to make the most of these detections, you should search for unusual network traffic to a group of these sites within the weblogs or in the network traffic that occurs for several minutes.

IoCs Captured by Mandiant

Domains/URLs

This Table Is Created in Evernote By the Author

YARA Rules

rule M_Hunting_JS_Caffeine_Redirect_1 
{ 
    meta: 
        author = "adrian.mccabe" 
        md5 = "60cae932b80378110d74fe447fa518d6" 
        date_created = "2022-09-22" 
        rev = "1" 
        context = “Searches for string artifacts on Caffeine Javascript redirect pages. Intentionally wide.” 
    strings: 
        $cf1 = "Don't Play Here Kid" ascii wide 
        $cf2 = "mrxc0der" ascii wide 
    condition: 
        all of them 
}

```
rule M_Hunting_PHP_Caffeine_Toolmarks_1 
{ 
    meta: 
        author = "adrian.mccabe" 
        md5 = " ce9a17f9aec9bd2d9eca70f82e5e048b" 
        date_created = "2022-09-22" 
        rev = "1" 
        context = “Searches for generic Caffeine obfuscation toolmark strings. Intentionally wide.” 
    strings: 
        $attacker_brand = " - WWW.CAFFEINES.STORE" ascii wide 
        $obfuscation_tagline = "CODED By MRxC0DER" ascii wide 
    condition: 
        all of them 
}
```

rule M_Hunting_PHP_Caffeine_Obfuscation_1 
{ 
    meta: 
        author = "adrian.mccabe" 
        md5 = "ce9a17f9aec9bd2d9eca70f82e5e048b" 
        date_created = "2022-09-22" 
        rev = "1" 
        context = “Searches for obfuscated PHP scripts.” 
    strings: 
        $f1 = {3C 3F 70 68 70 } 
        $a1 = "__FILE__));" ascii wide 
        $a2 = "=NULL;@eval" ascii wide 
        $a3 = "))));unset" ascii wide 
    condition: 
        uint16(0) == 0x3F3C and 
            all of them 
}

rule M_Hunting_JSON_Caffeine_Config_1 
{ 
    meta: 
        author = "adrian.mccabe" 
        md5 = "684b524cef81a9ef802ed3422700ab69" 
        date_created = "2022-09-22" 
        rev = "1" 
        context = “Searches for default Caffeine configuration syntax. Intentionally wide.” 
    strings: 
        $cf1 = "token" ascii wide 
        $cf2 = "ip-api.io" ascii wide 
        $cf3 = "ff57341d-6fb8-4bdb-a6b9-a49f94cbf239" ascii wide 
        $cf4 = "send_to_telegram" ascii wide 
        $cf5 = "telegram_user_id" ascii wide 
    condition: 
        all of them 
}

rule M_Hunting_ICO_Caffeine_Favicon_1 
{ 
    meta: 
        author = "adrian.mccabe" 
        md5 = "12e3dac858061d088023b2bd48e2fa96" 
        date_created = "2022-09-22" 
        rev = "1" 
        context = “Searches for legitimate Microsoft favicon used by Caffeine. VALIDATION REQUIRED.” 
    strings: 
        $a1 = { 01 00 06 00 80 } 
        $a2 = "fffffff" ascii wide 
        $a3 = "3333333" ascii wide 
        $a4 = "DDDDDDDDDDDUUUUUUUUUUUP" ascii wide 
        $a5 = "UUUPDDD@" ascii wide 
    condition: 
        uint16(1) == 0x0100 and 
            all of them 
}

How to be Protected From Caffeine, a Shared Phishing-as-a-Service Platform?

There are a few things you can take to keep yourself from falling prey to phishing if you are concerned about being a victim of the practice. Caffeine is a shared phishing-as-a-service platform. Thus, one must be aware of the potential risks associated with it.

Caffeine is a tool that can be used for social engineering and gives anybody the ability to design and share phishing campaigns. This method has launched attacks against firms such as Google, Facebook, and Netflix. And people are adopting it at an ever-increasing rate.

If you’ve been searching for how to be protected from Caffeine in the first place, below are some steps that can help.

Phishing is already a significant issue and will only likely become more widespread. You may, however, assist protect yourself and your business from becoming victims of these assaults by following a few elementary safeguards.

Wrap Up

Now that you know what PhaaS is and how it works, and how to be protected from Caffeine, be sure to take these steps to protect yourself from becoming a victim of this type of attack. First, be sure only to visit websites that you trust. If unsure about a website, do not enter personal information or click on any links.

Second, never provide personal information or login credentials in response to an email or pop-up window. These are standard methods used by phishers to collect victims’ information. Finally, keep your antivirus and anti-malware software up to date to help prevent your computer from becoming infected with malware that could be used to launch a PhaaS attack.

We hope this post would help you learn about Caffeine, a shared Phishing-as-a-Service platform, why it is so special, how to detect Caffeine to take protective measures and how to be protected from Caffeine in future as well.. Thanks for reading this post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr,  Medium & Instagram, and subscribe to receive updates like this.