Cybersecurity analysts found a phishing-as-a-service platform (PhaaS) that cybercriminals can access for around $250 per month. The Caffeine phishing kit offers unlimited customer support options, anti-detection features and an anti-analysis option to launch phishing attacks on unsuspecting users.
The Caffeine phishing kit
Experts at American cybersecurity company Mandiant detected Caffeine earlier this March and found that it allowed subscribers to select from various configuration settings to customize their attacking maneuver. It also helped create new dynamic URL schemes with malicious payloads and offered options to blacklist specific IP addresses and connections based on their points of origin. A Caffeine phishing kit for phishers allowed managing redirect pages and tracking campaign email activity.
Deployment of Caffeine
Caffeine follows three main steps. First, it accesses a compromised web administrator user account, exploits the vulnerability in the web infrastructure platforms and finally exploits the web application.
Easy to buy
Unlike most other PhaaS platforms, Caffeine allows an open registration facility for hackers, making it accessible to anyone seeking to launch a phishing attack. Moreover, acquiring this phishing kit does not require going through the narrow communication channels of underground forums or encrypted messaging services. It can be bought using any email address. Unlike buying other PhaaS, which require an endorsement or referral from an existing user, Caffeine can be purchased without such hassles. The Caffeine phishing platform includes the following elements:
- Core Caffeine account that a buyer needs to access the kit.
- Campaign infrastructure and configuration
Easy to target Chinese and Russian users
For unknown reasons, Caffeine developers have created special phishing email templates earmarked for attacking Chinese and Russian targets.
A case study
Researchers found Caffeine being used in March, targeting a European architectural consulting firm. A malicious email was sent using a suspicious URL. It was further investigated to get the domain data in the email. It was eduardorodiguez9584[.]ongraphy[.]com, which resolved to IP address 134.209.156[.]27 during the cyber-attack. Upon further research, it was found that the associated phishing domain of the Caffeine platform was not configured correctly. It has been observed that the developers of this phishing kit create newer versions of specific pages to evade detection.