A recently uncovered phishing-as-a-service platform called Caffeine is unique in its accessibility for cybercriminals to further leverage in attacks, featuring an entirely open registration process and templates earmarked for use against Chinese and Russian targets.
Though the underground economy that facilitates phishing attacks is nothing new, Caffeine’s ready-made features for cybercriminals make it stand out when compared to other phishing-as-a-service platforms, where cybercriminals can rent resources from providers who then handle the legwork. Many other platforms require an endorsement or referral through existing users, or work directly through underground forums or encrypted messaging services, but Caffeine lowers the barrier to entry for cybercriminals by allowing anyone with an email to register for its services, said researchers with Mandiant.
“This platform has an intuitive interface and comes at a relatively low cost while providing a multitude of features and tools to its criminal clients to orchestrate and automate core elements of their phishing campaigns,” said Adrian McCabe and Steve Sedotto with Mandiant in a Monday analysis. “These features include (but are not limited to) self-service mechanisms to craft customized phishing kits, manage intermediary redirect pages and final-stage lure pages, dynamically generate URLs for hosted malicious payloads, and track campaign email activity.”
The Caffeine phishing platform was first seen in an email in March that was sent to an unnamed European architectural consulting firm as part of a broader distributed campaign. The email’s contents weren’t fully recovered, but researchers were able to analyze the domain data associated with the email’s URL, which after several redirects led to a compromised portion of a legitimate site for the medical practice of an Italian ophthalmologist. The domain page, which no longer appears to be compromised, was misconfigured by the attacker; instead of showing a final lure page prompting the user for their login credentials, it displayed an error message and offered attackers a support link for help with the issue.
“While this shows an admirable dedication to user experience on the part of the Caffeine engineers, the provided link to create a support ticket is also a direct link to the support page within the Caffeine platform,” said researchers. “In the event a user accessing the support URL is not logged in as a configured user of the platform at the time they access the link, they are simply redirected to the Caffeine login page.”
“Traditional phishing techniques continue to be a reliable Initial Intrusion Vector for cyberattacks, and, as demonstrated by the Caffeine PhaaS platform, the tools to conduct full-fledged enterprise-level phishing campaigns are cheap to acquire, simple to use, and readily available to adversaries."
Upon further inspection, researchers found that Caffeine comes with a licensing model that is fully subscription based, with different tiers of service, and the option to register for a Core Caffeine account. The latter is "somewhat unique" in that the website is open to the public and registering for an account requires no disclosure of information or external validation mechanisms, which is typically the case with other platforms, said researchers.
Caffeine’s administrators have also taken steps to flesh out the platform with the announcement of several key updates, such as more accepted cryptocurrencies and feature updates. The infrastructure of the platform allows users to customize configuration settings, including the ability to tweak dynamic URL schemas with redirect pages, final lure pages and pages with certain victim information pre-populated. Additionally, “by default, Caffeine provides configurable HTML files to embed in outgoing email used in conjunction with the aforementioned sender utilities,” said researchers. “Several options are available for attackers to use for their phishing email templates, including webmail phishing lures targeting users of major Russian and Chinese services.”
Though they are relying on easy-to-use available phishing-as-a-service platforms or one-time-purchase phishing kits, threat actors are also looking to step up their game when it comes to phishing attacks, particularly in response to advancements in automated detection methods by email security protection platforms. A North Korean threat actor called Zinc, for example, was seen launching phishing campaigns that delivered trojanized versions of legitimate open source applications to compromise targets inside technology, media, and other companies, while APT29 was observed using Atlassian’s Trello service in phishing attacks to evade detection.
Mandiant researchers recommended that enterprise organizations take several steps to protect against phishing attacks, including the implementation of two-factor authentication; the use of behavioral analytics for web logs analysis to include initial URL structure, form submissions and redirections; and the periodic evaluation of public-facing web infrastructure and files against known legitimate versions of the content.
“Traditional phishing techniques continue to be a reliable Initial Intrusion Vector for cyberattacks, and, as demonstrated by the Caffeine PhaaS platform, the tools to conduct full-fledged enterprise-level phishing campaigns are cheap to acquire, simple to use, and readily available to adversaries,” said researchers.